Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523390
MD5:	28f4aa5264e452b3b6d44ce952d0b753
SHA1:	48a612d02667a33d916dfe2cf2d8deea1ed9fe2f
SHA256:	edda936f37b0ca35e9829c5e1c0153a52a0bbe63ae114e6b6ae69b1323cfdbf6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4560 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 28F4AA5264E452B3B6D44CE952D0B753)

chrome.exe (PID: 2720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8124 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4560	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_80.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_80.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_85.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_80.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_80.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_85.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_85.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_80.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_80.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_80.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_80.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_80.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_85.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_80.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_80.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_80.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_85.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_80.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_80.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_85.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_80.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_80.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2197860899.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2197608164.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000002.2198368710.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdB
Source: chromecache_80.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49780 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0022EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0022ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0022EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0021AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00249576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00249576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2196647155.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e14146eb-3
Source: file.exe, 00000000.00000000.2196647155.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c7d7623d-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14d0d0ea-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a97c6d18-4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0021D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00211201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00211201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0021E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BBF40	0_2_001BBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00222046	0_2_00222046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B8060	0_2_001B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00218298	0_2_00218298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EE4FF	0_2_001EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E676B	0_2_001E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00244873	0_2_00244873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DCAA0	0_2_001DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BCAF0	0_2_001BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CCC39	0_2_001CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E6DD9	0_2_001E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CB119	0_2_001CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B91C0	0_2_001B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1394	0_2_001D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D781B	0_2_001D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B7920	0_2_001B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C997D	0_2_001C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D7A4A	0_2_001D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D7CA7	0_2_001D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023BE44	0_2_0023BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9EEE	0_2_001E9EEE

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001B9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001D0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@37/30@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002237B5 GetLastError,FormatMessageW,

0_2_002237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002110BF AdjustTokenPrivileges,CloseHandle,		0_2_002110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0021D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0022648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001B42A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0A76 push ecx; ret

0_2_001D0A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00241C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00241C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-93987

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0021DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EC2A2 FindFirstFileExW,	0_2_001EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002268EE FindFirstFileW,FindClose,	0_2_002268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0022698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00229642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00229642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0022979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00229B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00229B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00225C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00225C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0022EAA2 BlockInput,

0_2_0022EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_001D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00210B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00210B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D09D5 SetUnhandledExceptionFilter,	0_2_001D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00211201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021B226 SendInput,keybd_event,

0_2_0021B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002322DA

Source: C:\Users\user\Desktop\file.exe

0_2_00210B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00211663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00211663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0698 cpuid

0_2_001D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00228195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00228195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0020D27A GetUserNameW,

0_2_0020D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4560, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4560, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00231204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00231806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00231806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.238	true	false	unknown
www3.l.google.com	142.250.186.174	true	false	unknown
play.google.com	216.58.212.142	true	false	unknown
www.google.com	142.250.184.196	true	false	unknown
youtube.com	172.217.16.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_80.4.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_80.4.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_85.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_80.4.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_85.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_80.4.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_80.4.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_80.4.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_80.4.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_80.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
216.58.212.142	play.google.com	United States	15169	GOOGLEUS	false
142.250.186.174	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.16.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.16
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523390
Start date and time:	2024-10-01 15:06:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@37/30@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.174, 74.125.71.84, 142.250.185.195, 34.104.35.123, 142.250.185.170, 142.250.185.74, 216.58.212.170, 142.250.185.202, 172.217.18.10, 142.250.185.138, 142.250.184.202, 142.250.186.42, 142.250.186.74, 142.250.185.106, 142.250.186.106, 216.58.206.42, 142.250.184.234, 142.250.181.234, 142.250.185.234, 142.250.186.170, 216.58.206.35, 172.217.16.202, 142.250.186.138, 172.217.16.138, 216.58.206.74, 172.217.23.106, 192.229.221.95, 2.16.100.168, 172.217.18.3, 142.250.110.84, 142.250.185.238
Excluded domains from analysis (whitelisted): clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	Sales_Contract_Main_417053608_09.2024.pdf	Get hash	malicious	Unknown	Browse
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse
	https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==	Get hash	malicious	HTMLPhisher	Browse
	http://innerglowjourney.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Swift_ach Complaints.sppgCQDM.html	Get hash	malicious	HTMLPhisher	Browse
	https://radiantlogics-my.sharepoint.com/:f:/g/personal/asharma_radiantlogics_onmicrosoft_com/ErrzGhClH-1EtQegMViR0ycByA4n0Sz6jougdCLyR4Fexw?e=sIngPR	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
youtube-ui.l.google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.78
	file.exe	Get hash	malicious	Unknown	Browse	172.217.23.110
	file.exe	Get hash	malicious	Unknown	Browse	216.58.206.78
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.238
	file.exe	Get hash	malicious	Unknown	Browse	172.217.16.142
	https://app.getresponse.com/change_details.html?x=a62b&m=BrgFNl&s=BW9rcZD&u=C3YQM&z=EMkQID6&pt=change_details	Get hash	malicious	Unknown	Browse	142.250.181.238
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.206
	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	172.217.16.142
	file.exe	Get hash	malicious	Unknown	Browse	142.250.186.110
	file.exe	Get hash	malicious	Unknown	Browse	142.250.185.110

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	13.85.23.86 184.28.90.27
	https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	http://innerglowjourney.com	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27
	R183nzNa89.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	R183nzNa89.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	Swift_ach Complaints.sppgCQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
3b5074b1b5d032e5620f69f9f700ff0e	hesaphareketi-01.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253 40.113.103.199
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	40.115.3.253 40.113.103.199
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	vovE92JSzK.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	s9POKY8U8k.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	xkIXA8M8sC.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789948381047936
Encrypted:	false
SSDEEP:	3072:W0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:WlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	A97373CC3F8795654F3C8C6B57066AE7
SHA1:	F7BECFDDE230EF537E8745B598DCED737C490C3C
SHA-256:	A1B0568D555DC4B4AF4CC5A6C41E838B702816445C04FF002C8A13058387F311
SHA-512:	47C76D26F4F9F206F93186800E06D3DBE1FDD0A1BA23FB9A3556390DE7F86C1FFB2C78FE307FB944C690475BFBAE9738C38233E00FDDFA9775A3B2030081D7F1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlEQAz5EZnBR6fK6LIn1v8ILsATM3g/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2EQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHcuwDoV1_a7sThPZwbu2Ah9zAL5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5797605345732935
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	28f4aa5264e452b3b6d44ce952d0b753
SHA1:	48a612d02667a33d916dfe2cf2d8deea1ed9fe2f
SHA256:	edda936f37b0ca35e9829c5e1c0153a52a0bbe63ae114e6b6ae69b1323cfdbf6
SHA512:	fa506f07a2e738f002928d3e7108cd31fac093e392293e584e9d9b603da27e0579a055478fbff3bfc0323545d29411c3090570c63e2b658edeac347987eab0be
SSDEEP:	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTH:GqDEvCTbMWu7rQYlBQcBiT6rprG8a4H
TLSH:	36159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FBF23B [Tue Oct 1 12:59:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4F41020A43h
jmp 00007F4F4102034Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4F4102052Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4F410204FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4F410230EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4F41023138h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4F41023121h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	1af87e6a3887a51ab59069578b3f7099	False	0.2861458333333333	data	5.163891914716751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x874	data			1.005083179297597
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:07:00.156455040 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:00.156455040 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:00.468934059 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:01.442347050 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:01.442400932 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:01.442495108 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:01.443041086 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:01.443056107 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.261925936 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.262078047 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.266074896 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.266092062 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.266345978 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.268860102 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.268970013 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.268975973 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.269203901 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.311407089 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.451267958 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.451503038 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:02.451589108 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.451813936 CEST	49710	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:02.451838017 CEST	443	49710	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:05.336028099 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:05.336072922 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:05.336128950 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:05.337389946 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:05.337404013 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:05.974294901 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.015537977 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.043673992 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.043689013 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.044351101 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.044418097 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.045078993 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.045128107 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.093241930 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.093328953 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.093703032 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.093719959 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.138933897 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.300717115 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.300798893 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:06.300848007 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.309032917 CEST	49714	443	192.168.2.6	172.217.16.142
Oct 1, 2024 15:07:06.309062004 CEST	443	49714	172.217.16.142	192.168.2.6
Oct 1, 2024 15:07:09.764004946 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:09.764036894 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:09.960506916 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:09.960546017 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:09.960621119 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:09.960834980 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:09.960848093 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.082307100 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:10.596988916 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.597209930 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:10.597242117 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.598354101 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.598421097 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:10.599845886 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:10.599911928 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.605205059 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:10.605251074 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:10.605329037 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:10.606688976 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:10.606704950 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:10.641355038 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:10.641381025 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:10.673755884 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:10.673810005 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:10.673891068 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:10.674607038 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:10.674633980 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:10.686887026 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:11.261841059 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.261917114 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.265913963 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.265925884 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.266175032 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.311693907 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.313704967 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.359400034 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.462646008 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.462704897 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.465684891 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.465697050 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.465946913 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.468262911 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.468482971 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.468488932 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.469314098 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.515409946 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.534491062 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.534559965 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.534605026 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.534722090 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.534745932 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.534758091 CEST	49727	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.534765005 CEST	443	49727	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.586419106 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.586460114 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.586548090 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.587270021 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:11.587287903 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:11.644345045 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.644819975 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.644875050 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.646377087 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.646393061 CEST	443	49728	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:11.646414995 CEST	49728	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:11.732557058 CEST	443	49705	173.222.162.64	192.168.2.6
Oct 1, 2024 15:07:11.732635975 CEST	49705	443	192.168.2.6	173.222.162.64
Oct 1, 2024 15:07:12.221206903 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.221292973 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.223555088 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.223568916 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.223808050 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.224917889 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.267410040 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.498051882 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.498264074 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.498584032 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.515611887 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.515611887 CEST	49729	443	192.168.2.6	184.28.90.27
Oct 1, 2024 15:07:12.515633106 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:12.515645981 CEST	443	49729	184.28.90.27	192.168.2.6
Oct 1, 2024 15:07:14.666013956 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:14.666045904 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:14.666177034 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:14.666505098 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:14.666517973 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.298944950 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.299215078 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.299228907 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.299642086 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.299735069 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.300343037 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.300422907 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.301664114 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.301664114 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.301680088 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.301728964 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.344486952 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.344496965 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.391702890 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.621711969 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.621748924 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.621779919 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.623368979 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.623380899 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.627727032 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.629905939 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.629913092 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.633902073 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.634018898 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.634088039 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.634095907 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.635597944 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.640294075 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.640383005 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.646850109 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.646895885 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.646920919 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.646931887 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.647542953 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.711734056 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.711801052 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.711812973 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.711822987 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.711837053 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.712264061 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.712270975 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.717143059 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.717180967 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.717185974 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.717191935 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.717689037 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.719499111 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.719547033 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:15.719749928 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.720472097 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.720490932 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:15.723469973 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.723583937 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.729851007 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.730411053 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.730421066 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.731318951 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.735944986 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.742305994 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.742872953 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.742979050 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.744170904 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.757205009 CEST	49743	443	192.168.2.6	142.250.186.174
Oct 1, 2024 15:07:15.757220030 CEST	443	49743	142.250.186.174	192.168.2.6
Oct 1, 2024 15:07:15.869956017 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.869980097 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:15.871282101 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.875473022 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:15.875483990 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.358675957 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.362423897 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.362452984 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.362871885 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.362940073 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.363697052 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.363754988 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.370680094 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.370784998 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.370970011 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.370979071 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.422265053 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.513026953 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.513991117 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.514004946 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.514406919 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.514462948 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.515146017 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.515198946 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.526658058 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.526736021 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.527457952 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.527475119 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.578572989 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.660151005 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.660339117 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.660388947 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.660759926 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.660779953 CEST	443	49746	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.660789013 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.660819054 CEST	49746	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.661742926 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.661788940 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.661848068 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.662195921 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.662213087 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.811660051 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.812216043 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.812264919 CEST	443	49747	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.812316895 CEST	49747	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.813100100 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.813138008 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:16.813199997 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.813616991 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:16.813632965 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.293811083 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.294059992 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.294075012 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.294450998 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.294524908 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.295145988 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.295196056 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.295373917 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.295444012 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.295594931 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.295602083 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.295618057 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.339407921 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.341747046 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.443850040 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.446186066 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.446202993 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.446588039 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.446659088 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.447335958 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.447406054 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.447725058 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.447787046 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.447871923 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.447972059 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.447979927 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.500024080 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.510216951 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.511089087 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.511145115 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.511759043 CEST	49750	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.511778116 CEST	443	49750	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.661984921 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.662098885 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:17.662240028 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.662992001 CEST	49752	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:17.663008928 CEST	443	49752	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:18.274895906 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:18.319408894 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541207075 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541256905 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541289091 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541318893 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541335106 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:18.541353941 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541371107 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:18.541435003 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:18.541486979 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:18.545516014 CEST	49723	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:07:18.545531988 CEST	443	49723	142.250.184.196	192.168.2.6
Oct 1, 2024 15:07:20.110920906 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:20.110965967 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:20.111021996 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:20.112124920 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:20.112134933 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:20.796241045 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:20.796312094 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:20.808871031 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:20.808897972 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:20.809223890 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:20.857441902 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.040260077 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.087404966 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270747900 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270766973 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270773888 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270781994 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270821095 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270842075 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.270859003 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.270888090 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.270901918 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.271399975 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.271464109 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:21.271466970 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.271513939 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.285787106 CEST	49759	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:21.285800934 CEST	443	49759	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:23.724936008 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:23.724973917 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:23.725137949 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:23.725574970 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:23.725594044 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.375183105 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.375549078 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.375567913 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.375945091 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.376267910 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.376333952 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.376605988 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.376689911 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.376694918 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.714684963 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.716353893 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:24.716413975 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.720607042 CEST	49763	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:24.720623016 CEST	443	49763	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:26.852421045 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:26.852482080 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:26.852550030 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:26.853107929 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:26.853121996 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.710973024 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.711042881 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.716290951 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.716301918 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.716562986 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.719945908 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.719995975 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.720000029 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.720127106 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.763434887 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.890494108 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.891020060 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.891038895 CEST	443	49764	40.115.3.253	192.168.2.6
Oct 1, 2024 15:07:27.891056061 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:27.891088009 CEST	49764	443	192.168.2.6	40.115.3.253
Oct 1, 2024 15:07:46.248421907 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:46.248469114 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:46.248531103 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:46.249138117 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:46.249155998 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.041579008 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.041640997 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.043437958 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.043454885 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.043715954 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.054204941 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.054275990 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.054285049 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.054400921 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.095407963 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.226054907 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.226155996 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.226234913 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.226478100 CEST	49765	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:07:47.226497889 CEST	443	49765	40.113.103.199	192.168.2.6
Oct 1, 2024 15:07:47.251266003 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.251316071 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.251398087 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.252051115 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.252063990 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.553767920 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.553832054 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.553911924 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.554186106 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.554207087 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.915148020 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.915474892 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.915497065 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.915929079 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.916275024 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.916342020 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:47.916440964 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.916455030 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:47.916466951 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.210833073 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.211172104 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.211194038 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.211613894 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.211900949 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.212028027 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.212059021 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.212085009 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.212091923 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.222322941 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.222484112 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.222567081 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.222829103 CEST	49766	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.222846031 CEST	443	49766	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.361076117 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.361121893 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.361188889 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.361500978 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.361509085 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.549041986 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.549179077 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:48.549243927 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.549668074 CEST	49767	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:48.549693108 CEST	443	49767	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.550287008 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.550575018 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.550600052 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.551095963 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.551428080 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.551543951 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.551728010 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.551748991 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.551773071 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.945709944 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.945880890 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:49.945964098 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.946688890 CEST	49768	443	192.168.2.6	216.58.212.142
Oct 1, 2024 15:07:49.946707964 CEST	443	49768	216.58.212.142	192.168.2.6
Oct 1, 2024 15:07:57.853324890 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:57.853377104 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:57.853471994 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:57.853810072 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:57.853821039 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.543615103 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.543874979 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.546751022 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.546766043 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.547143936 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.557051897 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.599401951 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.808995962 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.809014082 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.809034109 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.809092999 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.809118986 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.809138060 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.809165001 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.810235023 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.810266972 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.810303926 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.810307980 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.810328960 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.810342073 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.810385942 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.814199924 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.814215899 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:07:58.814227104 CEST	49769	443	192.168.2.6	13.85.23.86
Oct 1, 2024 15:07:58.814233065 CEST	443	49769	13.85.23.86	192.168.2.6
Oct 1, 2024 15:08:08.091305017 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.091378927 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.091479063 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.092052937 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.092072010 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.982295990 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.982480049 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.984479904 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.984493971 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.984752893 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.986622095 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.986679077 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:08.986685038 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:08.986809015 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:09.031403065 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:09.162206888 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:09.162290096 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:09.162339926 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:09.162486076 CEST	49771	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:09.162507057 CEST	443	49771	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:10.015840054 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:10.015882015 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.016072989 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:10.016239882 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:10.016263008 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.653460979 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.655586958 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:10.655606031 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.655961990 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.662852049 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:10.662934065 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:10.717426062 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:18.243421078 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.243469000 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.243566036 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.243777037 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.243793011 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.909491062 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.909837008 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.909866095 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.910253048 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.910595894 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.910674095 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.910763025 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.910788059 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.910794973 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.988270044 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.988321066 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:18.988415003 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.988732100 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:18.988753080 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.214270115 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.214827061 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.214885950 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.214993000 CEST	49774	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.215013981 CEST	443	49774	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.620562077 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.621182919 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.621206999 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.621591091 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.621917963 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.621998072 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.622082949 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.622082949 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.622113943 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.920052052 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.921705008 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:19.921773911 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.922107935 CEST	49775	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:19.922131062 CEST	443	49775	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:20.577059031 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:20.577151060 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:20.577222109 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:32.640196085 CEST	49772	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:08:32.640217066 CEST	443	49772	142.250.184.196	192.168.2.6
Oct 1, 2024 15:08:34.484803915 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:34.484874964 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:34.484966993 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:34.485560894 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:34.485577106 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.287010908 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.287097931 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.289299011 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.289316893 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.289582968 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.291488886 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.291555882 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.291562080 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.291673899 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.335405111 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.466227055 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.466305971 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:35.466418982 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.466540098 CEST	49776	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:08:35.466562986 CEST	443	49776	40.113.103.199	192.168.2.6
Oct 1, 2024 15:08:39.889173031 CEST	49704	80	192.168.2.6	93.184.221.240
Oct 1, 2024 15:08:39.894618988 CEST	80	49704	93.184.221.240	192.168.2.6
Oct 1, 2024 15:08:39.894690990 CEST	49704	80	192.168.2.6	93.184.221.240
Oct 1, 2024 15:08:48.502253056 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:48.502291918 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:48.502377033 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:48.502892971 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:48.502901077 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.135818005 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.136519909 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.136534929 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.136888027 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.137763023 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.137819052 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.138338089 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.138427019 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.138432980 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.455579996 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.456370115 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.456419945 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.530940056 CEST	49778	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.530956030 CEST	443	49778	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.657804966 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.657860994 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:49.657942057 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.658315897 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:49.658332109 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.308697939 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.309027910 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.309068918 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.309446096 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.309880972 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.309947014 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.310051918 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.310071945 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.310085058 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.807914972 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.808048010 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:08:50.808092117 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.808621883 CEST	49779	443	192.168.2.6	142.250.181.238
Oct 1, 2024 15:08:50.808643103 CEST	443	49779	142.250.181.238	192.168.2.6
Oct 1, 2024 15:09:01.522476912 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:01.522522926 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:01.522591114 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:01.523163080 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:01.523185968 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.300280094 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.300498962 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.302381992 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.302396059 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.302619934 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.304445028 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.304514885 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.304528952 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.304658890 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.351397991 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.476043940 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.476428032 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:02.476490021 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.476602077 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.476602077 CEST	49780	443	192.168.2.6	40.113.103.199
Oct 1, 2024 15:09:02.476624966 CEST	443	49780	40.113.103.199	192.168.2.6
Oct 1, 2024 15:09:10.078915119 CEST	49781	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:09:10.078980923 CEST	443	49781	142.250.184.196	192.168.2.6
Oct 1, 2024 15:09:10.079056025 CEST	49781	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:09:10.079406023 CEST	49781	443	192.168.2.6	142.250.184.196
Oct 1, 2024 15:09:10.079421043 CEST	443	49781	142.250.184.196	192.168.2.6
Oct 1, 2024 15:09:10.736926079 CEST	443	49781	142.250.184.196	192.168.2.6
Oct 1, 2024 15:09:10.780103922 CEST	49781	443	192.168.2.6	142.250.184.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:07:05.273588896 CEST	63593	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:05.273737907 CEST	50145	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:05.280272961 CEST	53	63593	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:05.280663967 CEST	53	50145	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:05.281649113 CEST	53	51034	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:05.281661034 CEST	53	61591	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:06.342724085 CEST	55881	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:06.343090057 CEST	59246	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:06.349481106 CEST	53	55881	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:06.349828005 CEST	53	59246	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:06.365464926 CEST	53	58721	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:09.789150953 CEST	53	50975	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:09.952433109 CEST	49799	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:09.952554941 CEST	60684	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:09.959346056 CEST	53	49799	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:09.959703922 CEST	53	60684	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:11.709809065 CEST	53	63750	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:14.654906988 CEST	62231	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:14.655051947 CEST	57511	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:14.661542892 CEST	53	62231	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:14.662502050 CEST	53	57511	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:15.710730076 CEST	56234	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:15.710944891 CEST	59296	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:07:15.717644930 CEST	53	59296	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:15.717822075 CEST	53	56234	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:23.614994049 CEST	53	53479	1.1.1.1	192.168.2.6
Oct 1, 2024 15:07:42.584588051 CEST	53	63849	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:05.211918116 CEST	53	59302	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:05.570391893 CEST	53	58144	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:16.746052027 CEST	53	55286	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:18.235948086 CEST	64475	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:08:18.236089945 CEST	53668	53	192.168.2.6	1.1.1.1
Oct 1, 2024 15:08:18.242856026 CEST	53	64475	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:18.243134022 CEST	53	53668	1.1.1.1	192.168.2.6
Oct 1, 2024 15:08:32.647519112 CEST	53	61580	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 15:07:05.273588896 CEST	192.168.2.6	1.1.1.1	0xe695	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:05.273737907 CEST	192.168.2.6	1.1.1.1	0x281d	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 15:07:06.342724085 CEST	192.168.2.6	1.1.1.1	0xb273	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.343090057 CEST	192.168.2.6	1.1.1.1	0x34bc	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 15:07:09.952433109 CEST	192.168.2.6	1.1.1.1	0xd122	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:09.952554941 CEST	192.168.2.6	1.1.1.1	0xde39	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 15:07:14.654906988 CEST	192.168.2.6	1.1.1.1	0xfea0	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:14.655051947 CEST	192.168.2.6	1.1.1.1	0xb284	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 15:07:15.710730076 CEST	192.168.2.6	1.1.1.1	0xfcba	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:15.710944891 CEST	192.168.2.6	1.1.1.1	0x7622	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 15:08:18.235948086 CEST	192.168.2.6	1.1.1.1	0xf5ee	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:08:18.236089945 CEST	192.168.2.6	1.1.1.1	0xdd79	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 15:07:05.280272961 CEST	1.1.1.1	192.168.2.6	0xe695	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:05.280663967 CEST	1.1.1.1	192.168.2.6	0x281d	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349481106 CEST	1.1.1.1	192.168.2.6	0xb273	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349828005 CEST	1.1.1.1	192.168.2.6	0x34bc	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 15:07:06.349828005 CEST	1.1.1.1	192.168.2.6	0x34bc	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 15:07:09.959346056 CEST	1.1.1.1	192.168.2.6	0xd122	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:09.959703922 CEST	1.1.1.1	192.168.2.6	0xde39	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 15:07:14.661542892 CEST	1.1.1.1	192.168.2.6	0xfea0	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 15:07:14.661542892 CEST	1.1.1.1	192.168.2.6	0xfea0	No error (0)	www3.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:07:14.662502050 CEST	1.1.1.1	192.168.2.6	0xb284	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 15:07:15.717822075 CEST	1.1.1.1	192.168.2.6	0xfcba	No error (0)	play.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:08:18.242856026 CEST	1.1.1.1	192.168.2.6	0xf5ee	No error (0)	play.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49710	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:02 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 42 36 6a 4f 75 4b 63 73 43 6b 71 41 65 38 59 35 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 32 39 37 38 64 65 36 39 38 62 63 61 30 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: B6jOuKcsCkqAe8Y5.1Context: 1d2978de698bca09
2024-10-01 13:07:02 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:07:02 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 42 36 6a 4f 75 4b 63 73 43 6b 71 41 65 38 59 35 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 32 39 37 38 64 65 36 39 38 62 63 61 30 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: B6jOuKcsCkqAe8Y5.2Context: 1d2978de698bca09<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:07:02 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 42 36 6a 4f 75 4b 63 73 43 6b 71 41 65 38 59 35 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 32 39 37 38 64 65 36 39 38 62 63 61 30 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: B6jOuKcsCkqAe8Y5.3Context: 1d2978de698bca09<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:07:02 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:07:02 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 49 53 67 31 6c 41 50 6a 4c 55 4b 75 78 6e 69 2b 61 32 7a 43 6d 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ISg1lAPjLUKuxni+a2zCmA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49714	172.217.16.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:06 UTC	847	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:06 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 13:07:06 GMT Date: Tue, 01 Oct 2024 13:07:06 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49727	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:11 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 13:07:11 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=185919 Date: Tue, 01 Oct 2024 13:07:11 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49728	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:11 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 64 62 55 37 66 58 6f 54 38 30 4b 36 30 76 35 2f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 32 61 31 61 66 62 39 61 32 62 37 64 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: dbU7fXoT80K60v5/.1Context: 2af2a1afb9a2b7d0
2024-10-01 13:07:11 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:07:11 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 64 62 55 37 66 58 6f 54 38 30 4b 36 30 76 35 2f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 32 61 31 61 66 62 39 61 32 62 37 64 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: dbU7fXoT80K60v5/.2Context: 2af2a1afb9a2b7d0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:07:11 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 64 62 55 37 66 58 6f 54 38 30 4b 36 30 76 35 2f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 61 66 32 61 31 61 66 62 39 61 32 62 37 64 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: dbU7fXoT80K60v5/.3Context: 2af2a1afb9a2b7d0<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:07:11 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:07:11 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 70 70 30 4c 45 44 42 6b 6f 55 4b 2b 56 30 49 73 64 4e 2b 35 72 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: pp0LEDBkoUK+V0IsdN+5rQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49729	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:12 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 13:07:12 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=185862 Date: Tue, 01 Oct 2024 13:07:12 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 13:07:12 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49743	142.250.186.174	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:15 UTC	1232	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1268387220&timestamp=1727788033886 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:15 UTC	1965	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-Ujj6DL_55_f6Qdexx5UNjA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 13:07:15 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtHikmII0JBiWMy_i0ni60smLSB2Sp_BGgLESf_Os5YA8eXuS6zXgbhI4gprCxAL8XA0v3i_nU3gxPvXHxmV9JLyC-MzU1LzSjJLKlPycxMz85Lz87MzU4uLU4vKUovijQyMTAwsjYz0DCziCwwAOoksrg" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 55 6a 6a 36 44 4c 5f 35 35 5f 66 36 51 64 65 78 78 35 55 4e 6a 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="Ujj6DL_55_f6Qdexx5UNjA">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f Data Ascii: (b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 6e 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 Data Ascii: n(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=nu
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 Data Ascii: =function(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.le
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 75 72 6e 20 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d Data Ascii: urn e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d===
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 Data Ascii: idden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 6e 20 65 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 Data Ascii: n e(this,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 31 7d 7d 29 3b 47 28 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f Data Ascii: 1}});G("Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="clo
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 39 38 34 33 38 32 7c 7c 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 Data Ascii: 984382\|\|(a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});r
2024-10-01 13:07:15 UTC	1965	IN	Data Raw: 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 Data Ascii: ull";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.ca

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49746	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:16 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:16 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:16 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49747	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:16 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:16 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:16 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49750	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:17 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:17 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 33 34 39 34 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788034947",null,null,null
2024-10-01 13:07:17 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=qLj3mQ5ZEpNmz_w_GcUBsgSo121wtjPU7qKmPLD8BhoahuNq4EU-B5YC_LNdgAENwK8FcVxLz659A6eWC7lwedOjwXPFyh_k7MxzjfhPuwZLslDZP-apS-V6LqHIeIxclM26RGQQw7XeRvMXuKRB2TQlgPxGlX8-p8KZf1Mt-_EsWwjTXw; expires=Wed, 02-Apr-2025 13:07:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 13:07:17 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49752	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:17 UTC	1120	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 13:07:17 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 33 35 30 35 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788035059",null,null,null
2024-10-01 13:07:17 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=hdMFKixWukTJDGmDoxIhtAd_eGP5b6OVQ3aUoATEDXLwj-tnshwULr8C-ofy60qdZLVF0C3bL92SfKTv8Dx0zpK0MlPu9iQky2JeopElrvSwWKwk2StD5D27zoTXgYPKR0mLaERYJ59HQdWeYcZutueqcp-Ke24c8MLzpBipEJ9JXMcl4w; expires=Wed, 02-Apr-2025 13:07:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 13:07:17 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49723	142.250.184.196	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:18 UTC	1209	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=hdMFKixWukTJDGmDoxIhtAd_eGP5b6OVQ3aUoATEDXLwj-tnshwULr8C-ofy60qdZLVF0C3bL92SfKTv8Dx0zpK0MlPu9iQky2JeopElrvSwWKwk2StD5D27zoTXgYPKR0mLaERYJ59HQdWeYcZutueqcp-Ke24c8MLzpBipEJ9JXMcl4w
2024-10-01 13:07:18 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 11:26:23 GMT Expires: Wed, 09 Oct 2024 11:26:23 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 6055 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 13:07:18 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 13:07:18 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-01 13:07:18 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 13:07:18 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-01 13:07:18 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49759	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UM3WpNRVP3eRllF&MD=che9ckaB HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 13:07:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 812f7730-deff-4fc9-b089-53f1cd8ad124 MS-RequestId: 65ff619e-e7b4-43e2-be90-23fb8fbec8e0 MS-CV: SqUNUZWylkOSUwEC.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 13:07:20 GMT Connection: close Content-Length: 24490
2024-10-01 13:07:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 13:07:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49763	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:24 UTC	1294	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=hdMFKixWukTJDGmDoxIhtAd_eGP5b6OVQ3aUoATEDXLwj-tnshwULr8C-ofy60qdZLVF0C3bL92SfKTv8Dx0zpK0MlPu9iQky2JeopElrvSwWKwk2StD5D27zoTXgYPKR0mLaERYJ59HQdWeYcZutueqcp-Ke24c8MLzpBipEJ9JXMcl4w
2024-10-01 13:07:24 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 33 32 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727788032000",null,null,null,
2024-10-01 13:07:24 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw; expires=Wed, 02-Apr-2025 13:07:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:24 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 13:07:24 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:24 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	49764	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:27 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 77 6b 56 63 72 70 4c 30 4c 55 79 37 53 4e 42 70 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 35 64 64 30 33 36 37 63 37 61 39 64 35 38 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: wkVcrpL0LUy7SNBp.1Context: 45dd0367c7a9d58f
2024-10-01 13:07:27 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:07:27 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 77 6b 56 63 72 70 4c 30 4c 55 79 37 53 4e 42 70 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 35 64 64 30 33 36 37 63 37 61 39 64 35 38 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: wkVcrpL0LUy7SNBp.2Context: 45dd0367c7a9d58f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:07:27 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 77 6b 56 63 72 70 4c 30 4c 55 79 37 53 4e 42 70 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 35 64 64 30 33 36 37 63 37 61 39 64 35 38 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: wkVcrpL0LUy7SNBp.3Context: 45dd0367c7a9d58f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:07:27 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:07:27 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 74 32 4f 4f 46 30 6d 30 76 55 43 6d 45 68 4e 6d 42 6c 52 76 35 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: t2OOF0m0vUCmEhNmBlRv5w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.6	49765	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:47 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 35 6c 56 32 38 6e 33 2b 69 45 43 43 68 71 48 6c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 63 32 33 30 62 32 36 66 34 30 32 33 31 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 5lV28n3+iECChqHl.1Context: 98c230b26f402314
2024-10-01 13:07:47 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:07:47 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 35 6c 56 32 38 6e 33 2b 69 45 43 43 68 71 48 6c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 63 32 33 30 62 32 36 66 34 30 32 33 31 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 5lV28n3+iECChqHl.2Context: 98c230b26f402314<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:07:47 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 35 6c 56 32 38 6e 33 2b 69 45 43 43 68 71 48 6c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 38 63 32 33 30 62 32 36 66 34 30 32 33 31 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 5lV28n3+iECChqHl.3Context: 98c230b26f402314<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:07:47 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:07:47 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6a 6f 46 4f 4e 55 6d 49 66 30 36 67 36 74 63 39 39 6a 69 45 62 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: joFONUmIf06g6tc99jiEbQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49766	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:47 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1280 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:07:47 UTC	1280	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 36 36 37 39 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788066790",null,null,null
2024-10-01 13:07:48 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:48 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:48 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49767	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:48 UTC	1285	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1039 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:07:48 UTC	1039	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-01 13:07:48 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:48 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:48 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49768	216.58.212.142	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:49 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1203 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:07:49 UTC	1203	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 36 37 35 39 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788067599",null,null,null
2024-10-01 13:07:49 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:07:49 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:07:49 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:07:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49769	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:07:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UM3WpNRVP3eRllF&MD=che9ckaB HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 13:07:58 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 715845dc-6943-4ab1-b42d-95bfb002b598 MS-RequestId: 97f1ea52-598e-496c-be97-654ddf3ebdff MS-CV: IZQcn5F1zEGNMQj3.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 13:07:57 GMT Connection: close Content-Length: 30005
2024-10-01 13:07:58 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 13:07:58 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.6	49771	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:08 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 45 4c 31 41 64 36 39 4c 30 43 2f 4e 6f 6d 69 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 38 65 63 63 62 32 34 61 38 33 38 61 37 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: WEL1Ad69L0C/Nomi.1Context: 1d8eccb24a838a71
2024-10-01 13:08:08 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:08:08 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 57 45 4c 31 41 64 36 39 4c 30 43 2f 4e 6f 6d 69 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 38 65 63 63 62 32 34 61 38 33 38 61 37 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: WEL1Ad69L0C/Nomi.2Context: 1d8eccb24a838a71<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:08:08 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 45 4c 31 41 64 36 39 4c 30 43 2f 4e 6f 6d 69 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 64 38 65 63 63 62 32 34 61 38 33 38 61 37 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: WEL1Ad69L0C/Nomi.3Context: 1d8eccb24a838a71<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:08:09 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:08:09 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 63 30 7a 2b 61 59 6f 43 78 55 4b 38 49 76 72 52 78 77 42 68 4a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: c0z+aYoCxUK8IvrRxwBhJg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49774	142.250.181.238	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:18 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1207 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:08:18 UTC	1207	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 39 37 34 37 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788097474",null,null,null
2024-10-01 13:08:19 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:08:19 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:08:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:08:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49775	142.250.181.238	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:19 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1185 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:08:19 UTC	1185	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 30 39 38 32 32 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788098226",null,null,null
2024-10-01 13:08:19 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:08:19 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:08:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:08:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.6	49776	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:35 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 44 30 46 57 58 63 37 6e 78 55 4b 6c 56 2f 51 44 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 36 66 33 36 31 61 31 30 31 35 38 65 62 62 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: D0FWXc7nxUKlV/QD.1Context: 46f361a10158ebbd
2024-10-01 13:08:35 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:08:35 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 44 30 46 57 58 63 37 6e 78 55 4b 6c 56 2f 51 44 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 36 66 33 36 31 61 31 30 31 35 38 65 62 62 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: D0FWXc7nxUKlV/QD.2Context: 46f361a10158ebbd<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:08:35 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 44 30 46 57 58 63 37 6e 78 55 4b 6c 56 2f 51 44 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 36 66 33 36 31 61 31 30 31 35 38 65 62 62 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: D0FWXc7nxUKlV/QD.3Context: 46f361a10158ebbd<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:08:35 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:08:35 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 32 77 6f 55 68 54 49 4a 78 30 36 45 46 45 4d 55 78 57 35 79 55 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 2woUhTIJx06EFEMUxW5yUg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49778	142.250.181.238	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:49 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1245 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:08:49 UTC	1245	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 31 32 37 37 33 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788127739",null,null,null
2024-10-01 13:08:49 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:08:49 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:08:49 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:08:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49779	142.250.181.238	443	5192	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:08:50 UTC	1325	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1243 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dhxmbELXrSLkiEIMovpP4zRHz9TAAQ11FFiQsOsZHkG4sCkt_33rbZ7_dAlQBxtOf8UIunI6LBBs6-pGonpgLtLIuX5Dtpvv_zj1jc5kHC8PLKQKRIA8evCQuiGkA4g6Z3EPrpvj1R_PGyM4e1d4vqpIcmWizIS9nxH9P6dph6xrcgtuoPdGG9jJxw
2024-10-01 13:08:50 UTC	1243	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 37 38 38 31 32 38 38 39 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727788128896",null,null,null
2024-10-01 13:08:50 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 13:08:50 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 13:08:50 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 13:08:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.6	49780	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:09:02 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 39 36 32 6a 36 74 74 4d 30 6d 70 43 4b 65 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 37 35 66 31 62 38 64 31 33 61 39 39 30 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: N962j6ttM0mpCKeG.1Context: c175f1b8d13a9902
2024-10-01 13:09:02 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-01 13:09:02 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 39 36 32 6a 36 74 74 4d 30 6d 70 43 4b 65 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 37 35 66 31 62 38 64 31 33 61 39 39 30 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 68 49 6a 58 55 61 4e 39 6f 39 70 4d 6f 46 34 56 32 61 6c 6d 5a 70 45 32 62 31 59 6f 6b 62 44 49 68 6b 49 69 50 54 53 71 63 6c 46 41 33 64 62 70 38 65 67 39 50 57 73 49 49 35 66 63 52 51 41 6e 4f 55 79 79 67 71 31 52 2b 62 52 4d 44 32 49 6f 75 65 53 75 75 5a 56 75 46 59 39 30 5a 79 59 33 39 78 77 42 75 75 59 43 44 7a 50 51 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: N962j6ttM0mpCKeG.2Context: c175f1b8d13a9902<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAThIjXUaN9o9pMoF4V2almZpE2b1YokbDIhkIiPTSqclFA3dbp8eg9PWsII5fcRQAnOUyygq1R+bRMD2IoueSuuZVuFY90ZyY39xwBuuYCDzPQ
2024-10-01 13:09:02 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4e 39 36 32 6a 36 74 74 4d 30 6d 70 43 4b 65 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 37 35 66 31 62 38 64 31 33 61 39 39 30 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: N962j6ttM0mpCKeG.3Context: c175f1b8d13a9902<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-01 13:09:02 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-01 13:09:02 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 39 61 62 42 4b 44 34 68 4a 45 65 37 69 77 2f 37 4c 76 54 6a 49 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 9abBKD4hJEe7iw/7LvTjIA.0Payload parsing failed.

Target ID:	0
Start time:	09:07:03
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1b0000
File size:	917'504 bytes
MD5 hash:	28F4AA5264E452B3B6D44CE952D0B753
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:07:03
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:07:04
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:07:14
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:07:15
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1692,i,10153467402751513809,7343525194768360430,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	1457
Total number of Limit Nodes:	44

Executed Functions

Function 001B42DE Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001B430D

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetCurrentProcess.KERNEL32(?,0024CB64,00000000,?,?), ref: 001B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001B44A0

Strings

|O, xrefs: 001F36F8
kernel32.dll, xrefs: 001B444F
, xrefs: 001B42E8, 001B435E, 001F3617
GetNativeSystemInfo, xrefs: 001B4460

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: $GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3060936628
Opcode ID: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction ID: 524569ce8276a89d717a8da2eb5a768e01bc9445743ce9ed336db6339c0e0cbd
Opcode Fuzzy Hash: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction Fuzzy Hash: 71A1C27E90B2C4DFD716D7697C4C1E57FAC6B26700B1888D9E08193AE2D36046BACB21

Function 001B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42C9
LoadResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35BE
SizeofResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35D3
LockResource.KERNEL32(001B50AA,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20,?), ref: 001F35E6

Strings

SCRIPT, xrefs: 001B42BF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction ID: 3a9a11cf81ed2eab188322265b095dda74e450a61fd55254feae298d7d7d2032
Opcode Fuzzy Hash: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction Fuzzy Hash: C4118274201700BFD7258FA9EC49F677BB9EBC6B51F248169F842D6160DBB1DC009620

Function 001F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00272224), ref: 001F2C10
ShellExecuteW.SHELL32(00000000,?,?,00272224), ref: 001F2C17

Strings

runas, xrefs: 001F2C0B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 84065eed466d53cdb4cae0ea9f9563775d1cf3e1711908c57cb9a4de28ca4a83
Instruction ID: de60f798db2fb1d1ec8bbf0e69f2d08d6f54f2211f67e2f3674515e26f365ec1
Opcode Fuzzy Hash: 84065eed466d53cdb4cae0ea9f9563775d1cf3e1711908c57cb9a4de28ca4a83
Instruction Fuzzy Hash: FE11B131209305AAC714FF64E895DFEBBA8ABB2300F54142DF596560E2CF318A6A8712

Function 0021D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Process32NextW.KERNEL32(00000000,?), ref: 0021D52F
CloseHandle.KERNELBASE(00000000), ref: 0021D5DC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f364977258936767083612c2c66ea942d0d3d1d2adfada4f7df20da2137453b6
Instruction ID: f3d95033c08275b875be3522dff81da960616553ae04f2c90c3ef9f1a92a3257
Opcode Fuzzy Hash: f364977258936767083612c2c66ea942d0d3d1d2adfada4f7df20da2137453b6
Instruction Fuzzy Hash: BA31E271108301EFD300EF54D885AEFBBF8EFA9344F50082DF586861A1EB719985CB92

Function 0021DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001F5222), ref: 0021DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0021DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0021DBEE
FindClose.KERNEL32(00000000), ref: 0021DBFA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction ID: 576fcd58ebdb33d531190b5be4f34183334bed27a4c9dc3e412c079cfd87220e
Opcode Fuzzy Hash: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction Fuzzy Hash: 3BF0EC34421910978220AF7CBC0D4EA37AC9E02334B604B03F935C10F0EBF05DA4C9D5

Function 001D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D09
TerminateProcess.KERNEL32(00000000,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D10
ExitProcess.KERNEL32 ref: 001D4D22

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction ID: 0d783a1920e577d43d6469f19afd5774ac9244bd93095aa0e77d204f736b8e28
Opcode Fuzzy Hash: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction Fuzzy Hash: ECE0BF35001548ABCF616F54ED0DA583F6AEB56741B144055FC198B222CB35DD41CA40

Function 001BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#(, xrefs: 002007CE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#(
API String ID: 3964851224-548171481
Opcode ID: b5e8e16f1124a98d480f81b2516a1fe66e1d6ac8cd6c87927aabd911ac772053
Instruction ID: 5e79702416a3ca3648863f67daa116f8886697b259a2d910f1874b91c6af14dd
Opcode Fuzzy Hash: b5e8e16f1124a98d480f81b2516a1fe66e1d6ac8cd6c87927aabd911ac772053
Instruction Fuzzy Hash: D9A259706083019FD724DF18C480BAABBE1BF99304F15896DF99A8B392D771EC55CB92

Function 0023AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0023B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1D4
_wcslen.LIBCMT ref: 0023B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B236
_wcslen.LIBCMT ref: 0023B332

Part of subcall function 002205A7: GetStdHandle.KERNEL32(000000F6), ref: 002205C6

_wcslen.LIBCMT ref: 0023B34B
_wcslen.LIBCMT ref: 0023B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0023B3B6
GetLastError.KERNEL32(00000000), ref: 0023B407
CloseHandle.KERNEL32(?), ref: 0023B439
CloseHandle.KERNEL32(00000000), ref: 0023B44A
CloseHandle.KERNEL32(00000000), ref: 0023B45C
CloseHandle.KERNEL32(00000000), ref: 0023B46E
CloseHandle.KERNEL32(?), ref: 0023B4E3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b8da5c83896625332f69d302d909d9690b99cf4b76c57d21db31e7156c682fd0
Instruction ID: bd1aeeb94db032d0e2f35e92cfc24bfa81c9a3411806bbda684a70d22ce380f0
Opcode Fuzzy Hash: b8da5c83896625332f69d302d909d9690b99cf4b76c57d21db31e7156c682fd0
Instruction Fuzzy Hash: 22F1CC716183019FC725EF24C891B6FBBE5AF85310F14855DF99A8B2A2CB31EC50CB52

Function 001BD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001BD807
timeGetTime.WINMM ref: 001BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB28
TranslateMessage.USER32(?), ref: 001BDB7B
DispatchMessageW.USER32(?), ref: 001BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB9F
Sleep.KERNEL32(0000000A), ref: 001BDBB1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 24a44f5c1be98a4c28928a00c5d733db9c8bacc39a2d7e8751770a439d5f4c57
Instruction ID: 11492c1fd20e5d959990bb5cd1976ccd596b84d63b1cb2c41f5180c90b812d3b
Opcode Fuzzy Hash: 24a44f5c1be98a4c28928a00c5d733db9c8bacc39a2d7e8751770a439d5f4c57
Instruction Fuzzy Hash: 6442F330614342DFD72DCF24D888BAAB7E4BF56304F54455EE45A872D2E770E868CB92

Function 001B344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001F31CE
RegCloseKey.ADVAPI32(?), ref: 001F3210
_wcslen.LIBCMT ref: 001F3277
_wcslen.LIBCMT ref: 001F3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 001B3560
I, xrefs: 001B349D
Include, xrefs: 001F3184, 001F31C5
\Include\, xrefs: 001B3527
\, xrefs: 001F328C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$I
API String ID: 98802146-2055965669
Opcode ID: b4275da8576ccd9d74a9980655494f5f838323eae65733cf383b62bdc80d80d2
Instruction ID: a45a7be0ec885fad6e1d6e0c68c17469f29748cc2700fbe9b1134b5c08a874db
Opcode Fuzzy Hash: b4275da8576ccd9d74a9980655494f5f838323eae65733cf383b62bdc80d80d2
Instruction Fuzzy Hash: E371BF75406304DFC314EF69EC959ABBBE8FFA5740F50082EF555971A0EB309A48CB62

Function 001B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2D07
RegisterClassExW.USER32(00000030), ref: 001B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
LoadIconW.USER32(000000A9), ref: 001B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

+, xrefs: 001B2CF0
0, xrefs: 001B2CE9
AutoIt v3 GUI, xrefs: 001B2D23
TaskbarCreated, xrefs: 001B2D37

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction ID: 973a16e353253d903468ea12830cec0afd082f472d4a088b7facc8794b54d650
Opcode Fuzzy Hash: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction Fuzzy Hash: B421E3B9952318AFDB40DFA8E84DBDDBBB8FB09700F10411AF511A62A0D7B14551CF90

Function 001F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001F039A: CreateFileW.KERNELBASE(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

GetLastError.KERNEL32 ref: 001F076F
__dosmaperr.LIBCMT ref: 001F0776
GetFileType.KERNELBASE(00000000), ref: 001F0782
GetLastError.KERNEL32 ref: 001F078C
__dosmaperr.LIBCMT ref: 001F0795
CloseHandle.KERNEL32(00000000), ref: 001F07B5
CloseHandle.KERNEL32(?), ref: 001F08FF
GetLastError.KERNEL32 ref: 001F0931
__dosmaperr.LIBCMT ref: 001F0938

Strings

H, xrefs: 001F08BD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction ID: 3302e00ee84afa6a936527ba9f62544986d9bac06ee8c2cc9c6fe6f3270bbad3
Opcode Fuzzy Hash: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction Fuzzy Hash: 3BA14736A001088FDF1AAF68DC95BBE7BA0AB1A324F14415DF915DF392DB319D12CB91

Function 001B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001B2B9D
LoadIconW.USER32(00000063), ref: 001B2BB3
LoadIconW.USER32(000000A4), ref: 001B2BC5
LoadIconW.USER32(000000A2), ref: 001B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001B2BEF
RegisterClassExW.USER32(?), ref: 001B2C40

Part of subcall function 001B2CD4: GetSysColorBrush.USER32(0000000F), ref: 001B2D07
Part of subcall function 001B2CD4: RegisterClassExW.USER32(00000030), ref: 001B2D31
Part of subcall function 001B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
Part of subcall function 001B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
Part of subcall function 001B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
Part of subcall function 001B2CD4: LoadIconW.USER32(000000A9), ref: 001B2D85
Part of subcall function 001B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

AutoIt v3, xrefs: 001B2C2F
#, xrefs: 001B2C16
0, xrefs: 001B2C0F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction ID: 841da6b1c6c0882e1020c8dc51be992ce4366838db892c2733a5ec4acb1d785b
Opcode Fuzzy Hash: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction Fuzzy Hash: 74212C78E52314ABDB109FA9FC5DAEDBFB8FB48B50F14009AE500A66E0D7B10561CF90

Function 001B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001B316A,?,?), ref: 001B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001B316A,?,?), ref: 001B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001B316A,?,?), ref: 001B3232
CreatePopupMenu.USER32 ref: 001B3246
PostQuitMessage.USER32(00000000), ref: 001B3267

Strings

TaskbarCreated, xrefs: 001B322D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 90ac14cf676e48435bf7f32c263af9c50d25f79bbe1fb30e79f65226869062c6
Instruction ID: b4d50b6bcd27406de9c64334947c4055c3e450ee4d127e2a675cb60570ea71c1
Opcode Fuzzy Hash: 90ac14cf676e48435bf7f32c263af9c50d25f79bbe1fb30e79f65226869062c6
Instruction Fuzzy Hash: 75414B3D251208ABDB193B7CEC1EBF93A5DEB06340F140165F622862E2CB718E7197A1

Function 001B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001B1459
CoUninitialize.COMBASE ref: 001B14F8
UnregisterHotKey.USER32(?), ref: 001B16DD
DestroyWindow.USER32(?), ref: 001F24B9
FreeLibrary.KERNEL32(?), ref: 001F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001F254B

Strings

close all, xrefs: 001B1454

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 4cabb530b1c200291fa87ac3325da26e3b74fa778bcd37539151c4a2f767c10a
Instruction ID: 8883049036fbc8309f13945ae12545ca68baa6f31189f095460cd1ef3d962802
Opcode Fuzzy Hash: 4cabb530b1c200291fa87ac3325da26e3b74fa778bcd37539151c4a2f767c10a
Instruction Fuzzy Hash: A1D17E31702212DFCB29EF54D4A9AB9F7A1BF15710F6641ADE94A6B261CB30EC12CF50

Function 001B10F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Part of subcall function 001B1B4A: RegisterWindowMessageW.USER32(00000004,?,001B12C4), ref: 001B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001B136A
OleInitialize.OLE32 ref: 001B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 001F24AB

Strings

, xrefs: 001B12C4
`, xrefs: 001B1292
8R, xrefs: 001B11AD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: 8R$`$
API String ID: 1986988660-3414498645
Opcode ID: 967fcda65e735aaac9f9c8a5a4bf0f85799b1405628ebd2fae04bcfa681e9ddb
Instruction ID: 1dbd40e83b46311920a30bb217daf3c59ec05a9802fd6cacb4861ce22df11b2b
Opcode Fuzzy Hash: 967fcda65e735aaac9f9c8a5a4bf0f85799b1405628ebd2fae04bcfa681e9ddb
Instruction Fuzzy Hash: B5718DBC9132009ED384EF79F95D6A53AEDBB98344794812AD40AC72E2EB384432CF45

Function 001B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CCF

Strings

AutoIt v3, xrefs: 001B2C89, 001B2C8E, 001B2C8F
edit, xrefs: 001B2CAC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction ID: 268ddf577bb52f8a974862ee3126de70fac8b00f50c8520c9d1de679da4bfffd
Opcode Fuzzy Hash: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction Fuzzy Hash: C3F0DA795423907AEB711717BC0CEB76EBDD7C7F50B10009AF900A65A0C6751862DBB0

Function 001B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B83

Strings

Control Panel\Mouse, xrefs: 001B3B3E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction ID: 6f732181f3601c382de545c58f7335ebb383cd6868d2b0b47a0e0caf1dbabad7
Opcode Fuzzy Hash: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction Fuzzy Hash: EF115AB5511208FFDB218FA8DD48AEEB7B8EF01740B104559E811D7214D7319E509760

Function 001B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001F33A2

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B3A04

Strings

Line: , xrefs: 001F33EB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 45ed2bdae59797ab995344573a87d62b9508ac0adcb96fe8667433b2329cab56
Instruction ID: 9807515e4e08af4319d017a5c917b2cd95888d743cad55d739f16dda5799e1a2
Opcode Fuzzy Hash: 45ed2bdae59797ab995344573a87d62b9508ac0adcb96fe8667433b2329cab56
Instruction Fuzzy Hash: C831F271409304ABC325EB20EC49BEBB7ECAF61314F10456EF5A9831D1EB749A69C7C2

Function 001B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001F2C8C

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 001B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B2DC4

Strings

`e', xrefs: 001F2C85
X, xrefs: 001F2C5A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e'
API String ID: 779396738-340175575
Opcode ID: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction ID: e42c799af479335b603a131c6198ce7483136c85d5eac2b22478c7737f71c61c
Opcode Fuzzy Hash: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction Fuzzy Hash: 0821A571A1025C9FCB01DF94C849BEE7BFCAF59304F008059E519A7241DBB89A5D8F61

Function 001CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0668

Part of subcall function 001D32A4: RaiseException.KERNEL32(?,?,?,001D068A,?,00281444,?,?,?,?,?,?,001D068A,001B1129,00278738,001B1129), ref: 001D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

Strings

Unknown exception, xrefs: 001D0692

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 142f3b2828a8c92dcb0f60a387bc4cae0c7597b5a4eb5dd794bbd808f0136020
Instruction ID: 6215c68bc32ad97623afc7fc0d517c6d5754095963f00c3fb350946c81db9c25
Opcode Fuzzy Hash: 142f3b2828a8c92dcb0f60a387bc4cae0c7597b5a4eb5dd794bbd808f0136020
Instruction Fuzzy Hash: 57F0F63490020DB7CB05BAB4EC4AEAE7B6D5E64350F60413BB828D67D1EF71EA26C5C1

Function 001E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001E85CC,?,00278CC8,0000000C), ref: 001E8704
GetLastError.KERNEL32(?,001E85CC,?,00278CC8,0000000C), ref: 001E870E
__dosmaperr.LIBCMT ref: 001E8739

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction ID: 8b37cb8bc416f8f76f87e9ef8085235314e4755dc3bcccbfab11d77dba6d87d9
Opcode Fuzzy Hash: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction Fuzzy Hash: 0B016B32A05EE016C3686637684977E6B4A4BA6778F390119F81C8B1D2DFA0CCC18250

Function 001C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001C17F6

Strings

CALL, xrefs: 001C17C6

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3fd53b43f0d4b6b14223739fb6ad9d12768ea32f65f46a178eba2fd8e0df8d18
Instruction ID: b2afa95bcda0ec1600bedb70943a258328c176df4924967b4fc16fb42901d766
Opcode Fuzzy Hash: 3fd53b43f0d4b6b14223739fb6ad9d12768ea32f65f46a178eba2fd8e0df8d18
Instruction Fuzzy Hash: 8C227A70648301AFC714DF14C484F2ABBF1BFAA314F64895DF4968B2A2D771E865CB92

Function 001B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 658b4879d4cafc290e950fe4be473968f2f45aab6afa995ce34c383efd30c499
Instruction ID: a00b0112112e6ed94426c249cda1fa5d2c667ba390e88a51add9c22bf72b2257
Opcode Fuzzy Hash: 658b4879d4cafc290e950fe4be473968f2f45aab6afa995ce34c383efd30c499
Instruction Fuzzy Hash: 5F31B474505701DFD721DF24E8887D7BBE8FB49708F00096EF6A983280E771AA55CB52

Function 001B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
Part of subcall function 001B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
Part of subcall function 001B4E90: FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EFD

Part of subcall function 001B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
Part of subcall function 001B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
Part of subcall function 001B4E59: FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction ID: 0aef5d68697774a2ce8c5a3c46a2fa1488c2e5f5005084603436b5b30109dbcf
Opcode Fuzzy Hash: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction Fuzzy Hash: 1D11C432610205ABDB14FB68DC42BED77A59F60710F20842EF542A71C2EF74DA459B50

Function 001E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001E8440

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction ID: eafc608a8a0105a19c7ab2d5ca145ce442184f1799415df148d92dc358f3d465
Opcode Fuzzy Hash: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction Fuzzy Hash: 9D11487590410AAFCB05DF59E940A9E7BF4EF48314F104059F808AB352DB30EA11CBA4

Function 001E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001E4C7D: RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

_free.LIBCMT ref: 001E506C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3bff4139bd2477263169505700b17549941e7f21d78f413ad51a20167c23e1f6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BA012672204B446BE3218E669885A5EFBEDFB89374F25051DF194832C0EB70A805C7B4

Function 001DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ddf33f837cdd92f6549d4e0de9d2644b0131bfe22d3c7635ce4c55c8bb68f1ae
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DEF0F432510E1496C7353A6A9C05B9A33DC9F7233AF11071BF4259B3D2DB74E802CAA5

Function 001E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction ID: 966e67a2dc8e62ddca34fbbf5be92a8808340e9d0f79c7df84f9d5559619f6c5
Opcode Fuzzy Hash: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction Fuzzy Hash: A9F0E231603AA467DB255F67AC09B5F3788BF917A0B394126B81AAB6D0CB30D80196E0

Function 001E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction ID: 37986d45ab02f512525d6db0bef7f197783a817dd457db1f06b257dd64e3f7bc
Opcode Fuzzy Hash: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction Fuzzy Hash: 79E0E531101AA467D631266B9C0DF9F3748AB827B0F150326BC25935D0CB20DE0182E0

Function 001B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4F6D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction ID: c5d2cd83cb5d4a116998cf237b675a55a89baa2c59b411c8e53a742953b3e977
Opcode Fuzzy Hash: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction Fuzzy Hash: 38F03971505752CFDB389F68E4948A2BBF4EF1432A320C97EE1EA83622C7319844DF50

Function 001B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 001B314E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 07119518ac64cd2fb38e593a24b443662196a4393e97268add1b2eb2e5df2b88
Instruction ID: 42692eb932136a02e08e80c90575f8bc4d1bc215e8ab0d315400f5bc406182d1
Opcode Fuzzy Hash: 07119518ac64cd2fb38e593a24b443662196a4393e97268add1b2eb2e5df2b88
Instruction Fuzzy Hash: 80F0A7749003049FE7529B24EC4A7D57BBCA701708F0000E5E148962C2D7704799CF41

Function 001B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B2DC4

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction ID: 9d25dfdc24ef8ad71f323e8e3b2d3a5c1e00d12e205ff6d46086f655c124377d
Opcode Fuzzy Hash: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction Fuzzy Hash: 24E0CD766011245BC710D2589C05FEA77EDDFC8790F040071FD09D7248DBA4AD848550

Function 001B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Part of subcall function 001BD730: GetInputState.USER32 ref: 001BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001B314E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ddfb02288305b8191b7cf20a6bcb7ab1d316172c677c33b0798bd1382ac634d5
Instruction ID: 1e3294cca8ff2a63808ec35ae3de4d5954e508b8c5592af5094416b5823f360a
Opcode Fuzzy Hash: ddfb02288305b8191b7cf20a6bcb7ab1d316172c677c33b0798bd1382ac634d5
Instruction Fuzzy Hash: 08E08C2630524806CA08BBB5B8A69EDB7599BF2355F40163EF152871A3DF248A6A8352

Function 001F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction ID: 44a1792a312887e9a01f940c2e2618a939f4dd132a64c84fcb0ef7c2cbeb88fb
Opcode Fuzzy Hash: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction Fuzzy Hash: 25D06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000FE1C56020C732E821AB90

Function 001B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001B1CBC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction ID: e9d9842af276505a8adf7a67e48098f3cb32b913267532a902925235180de844
Opcode Fuzzy Hash: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction Fuzzy Hash: F7C0483A282204AAE2188B84BC4EF547768A348B01F948001F60AA95E382A22820AB50

Non-executed Functions

Function 00249576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0024961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0024965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0024969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002496C9
SendMessageW.USER32 ref: 002496F2
GetKeyState.USER32(00000011), ref: 0024978B
GetKeyState.USER32(00000009), ref: 00249798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002497AE
GetKeyState.USER32(00000010), ref: 002497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002497E9
SendMessageW.USER32 ref: 00249810
SendMessageW.USER32(?,00001030,?,00247E95), ref: 00249918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0024992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00249941
SetCapture.USER32(?), ref: 0024994A
ClientToScreen.USER32(?,?), ref: 002499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002499D6
ReleaseCapture.USER32 ref: 002499E1
GetCursorPos.USER32(?), ref: 00249A19
ScreenToClient.USER32(?,?), ref: 00249A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249A80
SendMessageW.USER32 ref: 00249AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249AEB
SendMessageW.USER32 ref: 00249B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00249B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00249B4A
GetCursorPos.USER32(?), ref: 00249B68
ScreenToClient.USER32(?,?), ref: 00249B75
GetParent.USER32(?), ref: 00249B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249BFA
SendMessageW.USER32 ref: 00249C2B
ClientToScreen.USER32(?,?), ref: 00249C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00249CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249CDE
SendMessageW.USER32 ref: 00249D01
ClientToScreen.USER32(?,?), ref: 00249D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00249D82

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetWindowLongW.USER32(?,000000F0), ref: 00249E05

Strings

@GUI_DRAGID, xrefs: 0024997D
F, xrefs: 00249D07
p#(, xrefs: 00249990

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#(
API String ID: 3429851547-3736874359
Opcode ID: 44a1602112246300ea19c20b7b37b23b037ea8cfb01254ec9cc57cfe46051868
Instruction ID: b3a4315cb608b2bbb744361207f349644a88c8e218b296c104ae1d61cc7391e2
Opcode Fuzzy Hash: 44a1602112246300ea19c20b7b37b23b037ea8cfb01254ec9cc57cfe46051868
Instruction Fuzzy Hash: 3E42BE34615202AFD729CF28DC48EABBBE9FF89310F114619F599872A1D771E8A0CF41

Function 00244873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00244908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00244927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0024494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0024495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0024497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00244A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A7E
IsMenu.USER32(?), ref: 00244A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244B20
GetWindowLongW.USER32(?,000000F0), ref: 00244B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00244BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00244C82
wsprintfW.USER32 ref: 00244CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00244D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244D5A

Strings

%d/%02d/%02d, xrefs: 00244CA8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 560007dc48baef8720700e5d8d71f2322785ea6851dfd7a2bb50d37c7342b37f
Instruction ID: 5cc2c96bde0ca89cbab469207df487893442c865f27c2d0dbfbfde3f41be0e57
Opcode Fuzzy Hash: 560007dc48baef8720700e5d8d71f2322785ea6851dfd7a2bb50d37c7342b37f
Instruction Fuzzy Hash: 3D123531610215ABEB28AF28DC49FAE7BF8FF85710F104129F916EB2E1DB749951CB50

Function 001CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020F474
IsIconic.USER32(00000000), ref: 0020F47D
ShowWindow.USER32(00000000,00000009), ref: 0020F48A
SetForegroundWindow.USER32(00000000), ref: 0020F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4AA
GetCurrentThreadId.KERNEL32 ref: 0020F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0020F4DE
SetForegroundWindow.USER32(00000000), ref: 0020F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F4F6
keybd_event.USER32(00000012,00000000), ref: 0020F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F50B
keybd_event.USER32(00000012,00000000), ref: 0020F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F519
keybd_event.USER32(00000012,00000000), ref: 0020F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F528
keybd_event.USER32(00000012,00000000), ref: 0020F52D
SetForegroundWindow.USER32(00000000), ref: 0020F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0020F557

Strings

Shell_TrayWnd, xrefs: 0020F46F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction ID: 857176b30bed918bdd8b74e72dab862d580265dc4eb7a9e530a27bdee8b72922
Opcode Fuzzy Hash: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction Fuzzy Hash: 6A315075A91318BBEB706FB95C4AFBF7E6CEB45B50F210025FA04F61D1C6B06D10AA60

Function 00211201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00211286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002112A8
CloseHandle.KERNEL32(?), ref: 002112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002112D1
GetProcessWindowStation.USER32 ref: 002112EA
SetProcessWindowStation.USER32(00000000), ref: 002112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00211310

Part of subcall function 002110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
Part of subcall function 002110BF: CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Strings

, xrefs: 0021125A
default, xrefs: 0021130B
winsta0, xrefs: 002112CC
Z', xrefs: 00211392

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z'
API String ID: 22674027-1455465207
Opcode ID: 7525668c7d374117f0b0328dc8b18e419b7c2aa6f3d755b40b199284462b6379
Instruction ID: 7ac61cfbb4b1216b4973c7947c51779355949a4737bfa5cb04e9b32fc8402062
Opcode Fuzzy Hash: 7525668c7d374117f0b0328dc8b18e419b7c2aa6f3d755b40b199284462b6379
Instruction Fuzzy Hash: 2881C271910209AFDF209FA8DC49FEE7BFDEF15B04F144129FA11A61A0D77189A4CB61

Function 00210B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210C00
GetLengthSid.ADVAPI32(?), ref: 00210C17
GetAce.ADVAPI32(?,00000000,?), ref: 00210C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210C6D
GetLengthSid.ADVAPI32(?), ref: 00210C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210C8C
HeapAlloc.KERNEL32(00000000), ref: 00210C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210CB4
CopySid.ADVAPI32(00000000), ref: 00210CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D45
HeapFree.KERNEL32(00000000), ref: 00210D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D55
HeapFree.KERNEL32(00000000), ref: 00210D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D65
HeapFree.KERNEL32(00000000), ref: 00210D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00210D78
HeapFree.KERNEL32(00000000), ref: 00210D7F

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction ID: bf9304c9f2b2c86ec8d92fe8fe617a4f97cf8fc8ce164b090ca06328d84ed7ed
Opcode Fuzzy Hash: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction Fuzzy Hash: 3B716E7590120AABDF10DFE4EC88FEEBBB8FF15300F144525E918A6191D7B1A995CFA0

Function 0022EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0024CC08), ref: 0022EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0022EB37
GetClipboardData.USER32(0000000D), ref: 0022EB43
CloseClipboard.USER32 ref: 0022EB4F
GlobalLock.KERNEL32(00000000), ref: 0022EB87
CloseClipboard.USER32 ref: 0022EB91
GlobalUnlock.KERNEL32(00000000), ref: 0022EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0022EBC9
GetClipboardData.USER32(00000001), ref: 0022EBD1
GlobalLock.KERNEL32(00000000), ref: 0022EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0022EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0022EC38
GetClipboardData.USER32(0000000F), ref: 0022EC44
GlobalLock.KERNEL32(00000000), ref: 0022EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0022EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0022ECF3
CountClipboardFormats.USER32 ref: 0022ED14
CloseClipboard.USER32 ref: 0022ED59

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction ID: e0bbda2af4872a566c6f88bf0ce52bad1a2fd8ce0145d53f2c35ffc39a6874bf
Opcode Fuzzy Hash: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction Fuzzy Hash: F961F374204302AFD700EFA4E888F6A77E8BF95714F25451DF8568B2A1CB71DD05DB62

Function 0022698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002269BE
FindClose.KERNEL32(00000000), ref: 00226A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A75

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00226AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00226ADF

Strings

%03d, xrefs: 00226DA2
%4d, xrefs: 00226BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00226B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00226B32
%02d, xrefs: 00226C00, 00226C0A, 00226C5A, 00226CAA, 00226CFA, 00226D4A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c34d9ae63c96e0ee3974e6a612fb898d6f5183cf3239015c505b86a8038c04db
Instruction ID: 3824a7cc77cc8bd7a1f33c5a6362651ba23fbe5ebc7ce2f055a43467f87641b9
Opcode Fuzzy Hash: c34d9ae63c96e0ee3974e6a612fb898d6f5183cf3239015c505b86a8038c04db
Instruction Fuzzy Hash: B5D16F72508300AFC310EFA4D895EABB7ECAFA9704F04491DF589D7191EB74DA05CBA2

Function 00229642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00229663
GetFileAttributesW.KERNEL32(?), ref: 002296A1
SetFileAttributesW.KERNEL32(?,?), ref: 002296BB
FindNextFileW.KERNEL32(00000000,?), ref: 002296D3
FindClose.KERNEL32(00000000), ref: 002296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0022974A
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 00229768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00229772
FindClose.KERNEL32(00000000), ref: 0022977F
FindClose.KERNEL32(00000000), ref: 0022978F

Strings

*.*, xrefs: 002296F5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction ID: bc3d3c0afa0b2f7fbadb1c6ad14a1426d42be9279f23ef59d7f7a0fe2bbaddec
Opcode Fuzzy Hash: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction Fuzzy Hash: 1F31C27651162A7ADB14EFF9FC4CAEE77ACAF0A320F204156F905E2190DB70D9948E14

Function 0022979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00229819
FindClose.KERNEL32(00000000), ref: 00229824
FindFirstFileW.KERNEL32(*.*,?), ref: 00229840
SetCurrentDirectoryW.KERNEL32(?), ref: 00229890
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 002298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002298B8
FindClose.KERNEL32(00000000), ref: 002298C5
FindClose.KERNEL32(00000000), ref: 002298D5

Part of subcall function 0021DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0021DB00

Strings

*.*, xrefs: 0022983B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction ID: b68fa00ae8c44da24748bead062f2ab07b842e55705e5f3438c48cf0497edbb5
Opcode Fuzzy Hash: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction Fuzzy Hash: E531C53151162A7ADB14EFF8FC48ADE77ACAF07320F244156E914E2191DB70D9A4CE25

Function 0023BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0023BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0023BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0023C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0023C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0023C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0023C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0023C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0023C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0023C382
RegCloseKey.ADVAPI32(00000000), ref: 0023C38F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f91bab2a9217fc9c5cffaa7a52b770096b4362891b3860bf40f764f0cdca7df1
Instruction ID: 2ca067dd67c34e6db8f26ea6186798a4066f2cacf4e7f94d93ffdcb42275136a
Opcode Fuzzy Hash: f91bab2a9217fc9c5cffaa7a52b770096b4362891b3860bf40f764f0cdca7df1
Instruction Fuzzy Hash: 24026EB16142019FC714DF28C895E2ABBE5EF89318F18C49DF84ADB2A2DB31EC55CB51

Function 00228195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00228257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00228267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00228273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00228310
SetCurrentDirectoryW.KERNEL32(?), ref: 00228324
SetCurrentDirectoryW.KERNEL32(?), ref: 00228356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0022838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00228395

Strings

*.*, xrefs: 0022839B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction ID: 2f8b63d12814e224600d374dac91590a0c217b587251bdaf59da59d1e634ba72
Opcode Fuzzy Hash: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction Fuzzy Hash: 1261BC72118315AFCB10EF64E8409AEB3E8FF99310F04895EF989C3251DB31E955CB92

Function 0021D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0021D1DD
MoveFileW.KERNEL32(?,?), ref: 0021D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D237

Part of subcall function 0021D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0021D21C,?,?), ref: 0021D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0021D253
FindClose.KERNEL32(00000000), ref: 0021D264

Strings

\*.*, xrefs: 0021D0CD, 0021D0D6, 0021D0EB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 834543799e473f75e35fd170f303579879d12a463f043014f6710d8b158e9cf1
Instruction ID: 374c167c8860f4845111ff97e94fd0fd6f5884fc652e24cc0fafe9bb0d6231b4
Opcode Fuzzy Hash: 834543799e473f75e35fd170f303579879d12a463f043014f6710d8b158e9cf1
Instruction Fuzzy Hash: 34617C3180110EEBCF05EFE4D9929EDB7B5AF25300F604165E81677192EB30AF5ADB60

Function 0022ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0022ED91
EmptyClipboard.USER32 ref: 0022ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0022EDAC
CloseClipboard.USER32 ref: 0022EEA3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction ID: a9b99961842db41c942a7321178cc629e2d2c003fc444e35bc86d95ff76ee093
Opcode Fuzzy Hash: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction Fuzzy Hash: 2141E135215221AFD720CF59F848B19BBE4FF45328F16C099E4158B762C775EC41CB90

Function 0021E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

ExitWindowsEx.USER32(?,00000000), ref: 0021E932

Strings

SeShutdownPrivilege, xrefs: 0021E902
@, xrefs: 0021E925
, xrefs: 0021E95C
, xrefs: 0021E920

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction ID: 07747b7aa39b2661c55f95a2ede18c1c29a5aea719dec0b71a9f10391eb4084f
Opcode Fuzzy Hash: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction Fuzzy Hash: 3801DB76630311ABEF546678AC8ABFF72DC9B28750F164422FD03E21D1D5A55CE085E4

Function 00231204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00231276
WSAGetLastError.WSOCK32 ref: 00231283
bind.WSOCK32(00000000,?,00000010), ref: 002312BA
WSAGetLastError.WSOCK32 ref: 002312C5
closesocket.WSOCK32(00000000), ref: 002312F4
listen.WSOCK32(00000000,00000005), ref: 00231303
WSAGetLastError.WSOCK32 ref: 0023130D
closesocket.WSOCK32(00000000), ref: 0023133C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction ID: 19db37bcc55df8ad7c1f64b6c759e98f427fc83dd3f62d1ed69c011e480544c8
Opcode Fuzzy Hash: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction Fuzzy Hash: 9F41B275A001119FD710DF28D488B6ABBE5BF86318F288188E8568F3D6C771ED91CBE1

Function 001EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001EB9D4
_free.LIBCMT ref: 001EB9F8
_free.LIBCMT ref: 001EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00253700), ref: 001EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0028121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00281270,000000FF,?,0000003F,00000000,?), ref: 001EBC36
_free.LIBCMT ref: 001EBD4B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0f8ac61713d643d3b5d91d5a42a148a26460f047dd93c914ab8d295e965c2d2c
Instruction ID: 60d14e8f72a97d35e74c341c7b7d47a0d87dcb1fb75d29d0942f6bf27e1d26a6
Opcode Fuzzy Hash: 0f8ac61713d643d3b5d91d5a42a148a26460f047dd93c914ab8d295e965c2d2c
Instruction Fuzzy Hash: CEC14975908A84AFCB24DF7A9CC1BAF7BB8EF51310F2441AAE494D7296E7308E41C750

Function 0021D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D481
FindClose.KERNEL32(00000000), ref: 0021D498
FindClose.KERNEL32(00000000), ref: 0021D4A1

Strings

\*.*, xrefs: 0021D3F2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5c16be84ac7f63a1a2c5c2e890d8fbfe8d90b8f8fe0cbcacfe46750cff66cc3d
Instruction ID: a4b72ee8e805bd251624d8bcfe5d292b11227f1a4c21da3d9ffa6053a04ff832
Opcode Fuzzy Hash: 5c16be84ac7f63a1a2c5c2e890d8fbfe8d90b8f8fe0cbcacfe46750cff66cc3d
Instruction Fuzzy Hash: 5C31A031019345ABC300EF64D8958EFB7E8BEB2314F944A1DF4D593191EB70AA19DB63

Function 001EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001EE645

Strings

1#IND, xrefs: 001EF83D
1#SNAN, xrefs: 001EF844
1#INF, xrefs: 001EF852
1#QNAN, xrefs: 001EF84B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction ID: bb1463d9d267a6eb090d4d6a442d3aeee5e70649ad531c39b6e7da110be18bba
Opcode Fuzzy Hash: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction Fuzzy Hash: 8FC23971E04A698FDB29CE299D407EEB7F5EB48305F1541EAD84DE7240E774AE828F40

Function 0022648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002264DC
CoInitialize.OLE32(00000000), ref: 00226639
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 00226650
CoUninitialize.OLE32 ref: 002268D4

Strings

.lnk, xrefs: 002264BA, 00226524, 002265E0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: caa6e9eb9df911e0f7087b595731a116d641af4eabd9ed5adb814ce867574332
Instruction ID: dce6f9c03aa862136f0016503791f2de1fdbc3b7d834bfa0ac7692bef361641c
Opcode Fuzzy Hash: caa6e9eb9df911e0f7087b595731a116d641af4eabd9ed5adb814ce867574332
Instruction Fuzzy Hash: E5D16A71518211AFC304EF64D881DABB7E8FFA9304F50496DF5958B2A1EB30ED05CBA2

Function 002322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002322E8

Part of subcall function 0022E4EC: GetWindowRect.USER32(?,?), ref: 0022E504

GetDesktopWindow.USER32 ref: 00232312
GetWindowRect.USER32(00000000), ref: 00232319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00232355
GetCursorPos.USER32(?), ref: 00232381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002323DF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction ID: 2bc80b506796012cfa6acde67457831d78537f6e2fe99f7565f3dab4ecf773c4
Opcode Fuzzy Hash: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction Fuzzy Hash: FE3100B2515316AFDB20DF18DC49B9BBBE9FF85310F100919F985A7181DB34EA18CB92

Function 00229B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00229B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00229C8B

Part of subcall function 00223874: GetInputState.USER32 ref: 002238CB
Part of subcall function 00223874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00229BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00229C75

Strings

*.*, xrefs: 00229B5D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20b3c3cf0814c3075bf5c294532ab17609b26e96406f49ce24ddf34ada88beae
Instruction ID: f5974b8fb8d353c311c416045d1f7002ff0137703bbeea8d6124506e908df8d2
Opcode Fuzzy Hash: 20b3c3cf0814c3075bf5c294532ab17609b26e96406f49ce24ddf34ada88beae
Instruction Fuzzy Hash: 0E41A47191021AAFDF54DFA4D889AEE7BF4FF19310F20405AE805A3191EB309E94CF60

Function 001C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001C9A4E
GetSysColor.USER32(0000000F), ref: 001C9B23
SetBkColor.GDI32(?,00000000), ref: 001C9B36

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction ID: dcd11fb39d9fbce638621cba8a33c5f67aab26fa8b6dd9c59e144e37bd0ce4f4
Opcode Fuzzy Hash: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction Fuzzy Hash: 17A13570629500BFE72CAE2C9C8DF7B2A9DEB62340B15010DF402D76E2CB25ED61D672

Function 00231806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0023185D
WSAGetLastError.WSOCK32 ref: 00231884
bind.WSOCK32(00000000,?,00000010), ref: 002318DB
WSAGetLastError.WSOCK32 ref: 002318E6
closesocket.WSOCK32(00000000), ref: 00231915

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction ID: a5df6ff6516caca3bacda3dc62fa8e87e3fd7679682af4b0591a11cfae5991d3
Opcode Fuzzy Hash: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction Fuzzy Hash: 7A51C575A002009FEB10AF24D88AF6A77E5AB59718F18809CF9059F3D3C771ED518BE1

Function 00241C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00241CC0
IsWindowEnabled.USER32 ref: 00241CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00241CDB
IsIconic.USER32 ref: 00241CE9
IsZoomed.USER32 ref: 00241CF7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd0a7f1c0f60810cb41958df4f8c272572c983a43e688711c5f751de5f07e0a9
Instruction ID: 45aa22e59fdf40dd8032935009db4896b0769876ca212c332d3480095a477fed
Opcode Fuzzy Hash: cd0a7f1c0f60810cb41958df4f8c272572c983a43e688711c5f751de5f07e0a9
Instruction Fuzzy Hash: 332127317512119FD3288F1ADC84B6A7BE5EF85314F19805DE84ACB351CB71DCA2CB91

Function 001B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001F5DF0
VUUU, xrefs: 001B83FA
VUUU, xrefs: 001B843C
ERCP, xrefs: 001B813C
VUUU, xrefs: 001B83E8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction ID: 09baceb2c2c0b1c34cdedb527188ccd4e16e580c345713468d0092c67b9519ca
Opcode Fuzzy Hash: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction Fuzzy Hash: A6A27D70E0061ECBDF28CF58C8507FEB7B6BB54714F2581AAEA15A7285DB709D81CB90

Function 00218298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002182AA

Strings

tb', xrefs: 002184F4
|, xrefs: 002182DA
(, xrefs: 002182F0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb'$|
API String ID: 1659193697-4112980726
Opcode ID: 5bee2f2fb35e7f4fb3aca406e92cadfee9a9d93e5e5b0e633f3de5d86481c300
Instruction ID: 351488d97634c6d93bcb82a6051e74061860405ade06911759462cfe93323214
Opcode Fuzzy Hash: 5bee2f2fb35e7f4fb3aca406e92cadfee9a9d93e5e5b0e633f3de5d86481c300
Instruction Fuzzy Hash: 9E323875A107069FC728CF59C080AAAB7F0FF58710B15C56EE59ADB3A1EB70E991CB40

Function 0021AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0021AAAC
SetKeyboardState.USER32(00000080), ref: 0021AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0021AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0021AB88

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction ID: 1d2ed20b7a9a563558d2a9333f75be1e7e5be0558529f021b936942392727e77
Opcode Fuzzy Hash: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction Fuzzy Hash: AB314A70A66288AEFB34CF68CC05BFA77E6AF74314F04421AF081521D0C3748AE0C752

Function 0022CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0022CE89
GetLastError.KERNEL32(?,00000000), ref: 0022CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0022CEFE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction ID: 4fa49742fdde9cb805a679c560843cfa409d072e27e896440d4e65bc99d813c7
Opcode Fuzzy Hash: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction Fuzzy Hash: 2521CFB1510716ABDB30DFA5E948BABB7FCEB50358F20442EE646D2151E7B0EE148B50

Function 00225C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00225CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00225D17
FindClose.KERNEL32(?), ref: 00225D5F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7c201151d5058da4b3d14f2f952646a8661f5ba3f5f05e741832abc176cffd13
Instruction ID: e8ae8c8d58b8fb9a2de0c4f212bb3ded0fd344f121cbd81d90d2653beb0960b4
Opcode Fuzzy Hash: 7c201151d5058da4b3d14f2f952646a8661f5ba3f5f05e741832abc176cffd13
Instruction Fuzzy Hash: C651BB34614A12AFC714CF68D494E96B7E4FF4A324F14855EE95A8B3A2CB30EC14CF91

Function 001E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001E2731

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction ID: 58cd569543e9ab63bce33bce004535f03a3e20d59307c75754f268f16edabda2
Opcode Fuzzy Hash: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction Fuzzy Hash: 0F31B374911228ABCB21DF69DC8979DBBB8BF18310F5041EAE81CA7261E7749F818F45

Function 002251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00225238
SetErrorMode.KERNEL32(00000000), ref: 002252A1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction ID: f72ea4e0baf9daa0ce30afde7d6540c3b5c3f36c5049c851e0664bed8bd4eaec
Opcode Fuzzy Hash: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction Fuzzy Hash: 7D312F75A10519EFDB00DF94D888EEDBBB4FF49314F148099E8099B392DB71E856CBA0

Function 002116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0668
Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
GetLastError.KERNEL32 ref: 0021174A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b31fddf58d9d1cdc287a0ba60af93a956b05aab99c66cca284e63816ed1d703d
Instruction ID: b610f38c28499da9f90d827aac9518053b9403a40d09e3fe298d994c95d96b53
Opcode Fuzzy Hash: b31fddf58d9d1cdc287a0ba60af93a956b05aab99c66cca284e63816ed1d703d
Instruction Fuzzy Hash: 5511C1B2414305AFD7189F54EC86EABB7FDEB54714B20852EE05653291EB70FC928A20

Function 0021D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0021D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D650

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction ID: 536efb826dd5e2dff44c7602a8caf828775772f714a3ed5a695a244f849a8c3e
Opcode Fuzzy Hash: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction Fuzzy Hash: 0C113075E05228BBDB108F99AC49FAFBBBCEB45B50F104155F904E7290D6B05A058BA1

Function 00211663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0021168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002116A1
FreeSid.ADVAPI32(?), ref: 002116B1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction ID: 52c585199c1a872c4445733fc6493a9e08c05d9455173b3d3597002a9e138317
Opcode Fuzzy Hash: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction Fuzzy Hash: 37F0F475A51309FBDB00DFE49C89AAEBBBCEB08605F504965E501E2181E774AA448A54

Function 001EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001EC36C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0fec85a5a1585df3ea67399eaba8c95a69a8b9e8d319144d2a3e02a91174d5ce
Instruction ID: 92c37ad112a75585dd4de68bb9f192cf671d9c03c84d1d345ed6926b704ad142
Opcode Fuzzy Hash: 0fec85a5a1585df3ea67399eaba8c95a69a8b9e8d319144d2a3e02a91174d5ce
Instruction Fuzzy Hash: D0412876900A596BCB249FBADC49EBF7778EB84314F1042A9F915D7280E7709D828B90

Function 0020D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0020D28C

Strings

X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction ID: de46422c3a33dccf8e414d6d7ad673ba10ba5be99bb311ba423d4327293358d5
Opcode Fuzzy Hash: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction Fuzzy Hash: 05D0C9B481211DEFCB94CB94EC88DDAB37CBB14305F100165F506A2040DB7095488F10

Function 001DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 81fdda32b4bc4e32412c3a366d2050238eb4cbd970f4ec2c775f37a319157cea
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A9021D71E0011A9BDF14CFA9C9806ADFBF1EF48314F25466AD919E7384D731AA41CBD4

Function 001BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#(, xrefs: 001BCF7F
Variable is not of type 'Object'., xrefs: 00200C40

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#(
API String ID: 0-1684414423
Opcode ID: a853d6a13c011b7ee9267ea5472b677e45c24f32fa8c4e1bb3cce940366271db
Instruction ID: 823e207f94015cd58eae6dc045433ce06d6b330f59351045387e33cb6dd79d34
Opcode Fuzzy Hash: a853d6a13c011b7ee9267ea5472b677e45c24f32fa8c4e1bb3cce940366271db
Instruction Fuzzy Hash: AD329B74910219DBDF14DF94C881BFDBBB5FF25304F248069E806AB292DB75AE45CBA0

Function 002268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00226918
FindClose.KERNEL32(00000000), ref: 00226961

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction ID: 290e8728b4dbf757ef65aca68fb78fda6e27959999d9478d6a7524f37e5618f8
Opcode Fuzzy Hash: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction Fuzzy Hash: 0911D3356142119FC710CF69D488A16BBE0FF85328F14C69DF4698F6A2CB70EC45CB90

Function 002237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237F4

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bb0c6311c9c8f531eac98d38c1a7a14d393e4f8b7f4321b8e0a9548ba4c697d7
Instruction ID: dab22ce2b5d6e488613410d623c473d1fc8e8fac125f3b400f11657af674ced1
Opcode Fuzzy Hash: bb0c6311c9c8f531eac98d38c1a7a14d393e4f8b7f4321b8e0a9548ba4c697d7
Instruction Fuzzy Hash: 6CF05C706052283BDB1057A55C4CFEB7A9DDFC5760F000161F504D2180C6A04904C6B0

Function 0021B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0021B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0021B270

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction ID: a08d0e84afac9b240520838a569f66b5e09f8fb70a3d7a006e57e42300be3b9f
Opcode Fuzzy Hash: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction Fuzzy Hash: ACF06D7481424EABDB058FA4C805BEE7BB4FF04305F108009F951A5191C3798615DF94

Function 002110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 01384cfb623133cc361df62ee11ad665c84d0b521babf38c92b8f19c0738b055
Instruction ID: 93f6c05357823728323baf618ac9a60f1fee3d108909f26ec3744d741dafef03
Opcode Fuzzy Hash: 01384cfb623133cc361df62ee11ad665c84d0b521babf38c92b8f19c0738b055
Instruction Fuzzy Hash: 82E04F32019610AEE7252F55FC09FB37BE9EB14310B20882DF5A6804B1DB62ACA0DB10

Function 001E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001E6766,?,?,00000008,?,?,001EFEFE,00000000), ref: 001E6998

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction ID: 1112f54370c748fa1c8c7418dcd07d2cf183da48c33dba3363217305c20c8e23
Opcode Fuzzy Hash: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction Fuzzy Hash: 5CB17E31510A48CFD719CF29C486B687BE0FF553A4F658658E8D9CF2A2C335E981CB40

Function 001CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0020851F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction ID: a09c3ab71744b3014b54fe97b35206ced81558959729a885884276d0ebc09d3c
Opcode Fuzzy Hash: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction Fuzzy Hash: 6A1250719142299FCB14CF58C881BEEB7B5FF58710F15819AE849EB292DB309E91CF90

Function 0022EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0022EABD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction ID: dfdb6aa8ad6001f5117cb4256d0c3fb211ac963c19a1df144646fed792c88271
Opcode Fuzzy Hash: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction Fuzzy Hash: B6E04F35210214AFC710EF9DE844E9AF7EDAFA9760F01841AFC4AC7351DBB0E8408B91

Function 001D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001D03EE), ref: 001D09DA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction ID: 93b80bd4de672b8d4c5f833dc4ec2f51b7c5d8a9db2bfc57b51b1d79b920b70c
Opcode Fuzzy Hash: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction Fuzzy Hash:

Function 001D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001D798B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4177a0bea3327ce5e565ffd9c761053d5aa853b50c4882918298bb0f35e3bdca
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BD51667260C7459BDF3C856C886EBBE63999B12358F18050BE886D73C2FB15EE01E356

Function 00222046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&(, xrefs: 00222053

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: 0&(
API String ID: 0-759240540
Opcode ID: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction ID: bfac38593ffedafeb2c8b4f7c8691a50431866334e5eefaa948ef22cf078c6b5
Opcode Fuzzy Hash: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction Fuzzy Hash: 2321BB32621521DBD728CF79D81767E73E5A764310F15862EE4A7C77D0DE36A908CB40

Function 001E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction ID: 44947fb829bb70f29bb08e87841e02f6b338f8b1225f732679c2e76a98a17d18
Opcode Fuzzy Hash: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction Fuzzy Hash: 06324522D29F814DE7239635DC26339A259AFB73C6F15C737E81AB59E5EB39C4834100

Function 001CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction ID: 0be1fd45a0e2a5d9720db40e556e71ca7839d613fadff7db48c387998b26d2a6
Opcode Fuzzy Hash: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction Fuzzy Hash: 7132D1B1A242168BDF28CF29C494B7D77A1EB45314F38866AD85ACB2D3D330DDA1DB41

Function 001B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd0226f68fe735ce5ac998f41bd05fc888a263c5077d334f9b115813dcb5d
Instruction ID: 37bdd381de4d2889b2520d36ce881dacca6485728b54df066711cd8ad17bbbcb
Opcode Fuzzy Hash: 5e0cd0226f68fe735ce5ac998f41bd05fc888a263c5077d334f9b115813dcb5d
Instruction Fuzzy Hash: 1022C070A0460ADFDF14CF64D981AFEB7F2FF54300F244529E916AB291EB369951CB50

Function 001B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051d65f8c1ac1f931e8e5955c2d42c28f8e1c2c057c2b22eb7db83aec6328353
Instruction ID: 6d34e5de90774f37e13c1e4601aa512e93d86180c85304298d17039255bbbb86
Opcode Fuzzy Hash: 051d65f8c1ac1f931e8e5955c2d42c28f8e1c2c057c2b22eb7db83aec6328353
Instruction Fuzzy Hash: 440295B0E00209EBDB14DF64D881ABDB7F1FF54300F518169E91ADB2A1E731EA61CB91

Function 001E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7262246bdc75d7fc3028687f76b515e8a9cedc27d42a3ab5aead35b41ced466
Instruction ID: f51bdcd699923dd8f151976b0be5eaaadb6279c705e6c1b6912fcb457666800f
Opcode Fuzzy Hash: b7262246bdc75d7fc3028687f76b515e8a9cedc27d42a3ab5aead35b41ced466
Instruction Fuzzy Hash: 91B11320D2AF405DC32396399835336B75CAFBB6D6F91E35BFC1674D22EB2286834180

Function 001D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction ID: 6562b2544c9fa858bca21a3c576b4970dbb35d534fcc406b058c4a7acae647f8
Opcode Fuzzy Hash: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction Fuzzy Hash: 9061397160870A9ADE38AA2C8DA6BBF6394DF51704F18091FE842DB3C1F715DE42C355

Function 001D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction ID: bcf4b77f3d77ae32bcb001acc8d217d44d2335bef09b3d71ac73f8fc2a4781d9
Opcode Fuzzy Hash: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction Fuzzy Hash: 59617931208F0967DE395AA89896BBF639AEF52744F10095BE843DB3C1FB12ED42C355

Function 00232ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00232B30
DeleteObject.GDI32(00000000), ref: 00232B43
DestroyWindow.USER32 ref: 00232B52
GetDesktopWindow.USER32 ref: 00232B6D
GetWindowRect.USER32(00000000), ref: 00232B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00232CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00232CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232CF8
GetClientRect.USER32(00000000,?), ref: 00232D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00232D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D80
GlobalLock.KERNEL32(00000000), ref: 00232D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D98
GlobalUnlock.KERNEL32(00000000), ref: 00232DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232DA8
GlobalFree.KERNEL32(00000000), ref: 00232DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0024FC38,00000000), ref: 00232DDB
GlobalFree.KERNEL32(00000000), ref: 00232DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00232E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00232E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0023303F

Strings

AutoIt v3, xrefs: 00232CF2
DISPLAY, xrefs: 00232EA2
, xrefs: 00232FC5
static, xrefs: 00232D3A, 00232E91

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d97cdffd67df94f96d1b57bc0e3c4af9d86c5679659039af4e2c56788cb0ec1c
Instruction ID: 31345695f07b71b40f7baf419402a0756674378117cab80f55dd78caadcf8854
Opcode Fuzzy Hash: d97cdffd67df94f96d1b57bc0e3c4af9d86c5679659039af4e2c56788cb0ec1c
Instruction Fuzzy Hash: 00027BB5611205EFDB14DFA8DC8DEAE7BB9EF49310F108558F915AB2A1CB70AD01CB60

Function 002470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0024712F
GetSysColorBrush.USER32(0000000F), ref: 00247160
GetSysColor.USER32(0000000F), ref: 0024716C
SetBkColor.GDI32(?,000000FF), ref: 00247186
SelectObject.GDI32(?,?), ref: 00247195
InflateRect.USER32(?,000000FF,000000FF), ref: 002471C0
GetSysColor.USER32(00000010), ref: 002471C8
CreateSolidBrush.GDI32(00000000), ref: 002471CF
FrameRect.USER32(?,?,00000000), ref: 002471DE
DeleteObject.GDI32(00000000), ref: 002471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00247230
FillRect.USER32(?,?,?), ref: 00247262
GetWindowLongW.USER32(?,000000F0), ref: 00247284

Part of subcall function 002473E8: GetSysColor.USER32(00000012), ref: 00247421
Part of subcall function 002473E8: SetTextColor.GDI32(?,?), ref: 00247425
Part of subcall function 002473E8: GetSysColorBrush.USER32(0000000F), ref: 0024743B
Part of subcall function 002473E8: GetSysColor.USER32(0000000F), ref: 00247446
Part of subcall function 002473E8: GetSysColor.USER32(00000011), ref: 00247463
Part of subcall function 002473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
Part of subcall function 002473E8: SelectObject.GDI32(?,00000000), ref: 00247482
Part of subcall function 002473E8: SetBkColor.GDI32(?,00000000), ref: 0024748B
Part of subcall function 002473E8: SelectObject.GDI32(?,?), ref: 00247498
Part of subcall function 002473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
Part of subcall function 002473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
Part of subcall function 002473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 157d57d5672a1addb7afae6e505a0ce65e84e0d2b6567c3143a2610688165f9f
Instruction ID: 7def95dcbf423aacb879cbd135a8b816a2266d3f8197f66a02db37f33e4eae0e
Opcode Fuzzy Hash: 157d57d5672a1addb7afae6e505a0ce65e84e0d2b6567c3143a2610688165f9f
Instruction Fuzzy Hash: 96A1C176019302AFD755DF64EC4CE5B7BA9FB8A320F200A19F966A61E1D770E804CF51

Function 00232711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0023273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0023286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00232900
GetClientRect.USER32(00000000,?), ref: 0023290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00232955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00232964
GetStockObject.GDI32(00000011), ref: 00232974
SelectObject.GDI32(00000000,00000000), ref: 00232978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00232988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00232991
DeleteDC.GDI32(00000000), ref: 0023299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00232A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00232A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00232A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00232A77
GetStockObject.GDI32(00000011), ref: 00232A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00232A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00232A97

Strings

msctls_progress32, xrefs: 00232A13
AutoIt v3, xrefs: 002328F8
DISPLAY, xrefs: 0023295A
static, xrefs: 0023294F, 00232A71

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction ID: 09bbf9ff278789bd029cef1896f36d7c4ce0493086846d1a6ce1caea1f011529
Opcode Fuzzy Hash: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction Fuzzy Hash: 14B18DB5A11205AFEB14CF68DC89FAEBBA9EF49710F108554F915E72D0D770AD10CBA0

Function 00224ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224AED
GetDriveTypeW.KERNEL32(?,0024CB68,?,\\.\,0024CC08), ref: 00224BCA
SetErrorMode.KERNEL32(00000000,0024CB68,?,\\.\,0024CC08), ref: 00224D36

Strings

ATA, xrefs: 00224C98
RAMDisk, xrefs: 00224BF4
Unknown, xrefs: 00224BED, 00224C83
SSD, xrefs: 00224C4A
USB, xrefs: 00224CB4
SSA, xrefs: 00224CA6
RAID, xrefs: 00224CBB
\\.\, xrefs: 00224B3F
SATA, xrefs: 00224CD0
1394, xrefs: 00224C9F
iSCSI, xrefs: 00224CC2
Virtual, xrefs: 00224CE5
Fibre, xrefs: 00224CAD
PhysicalDrive, xrefs: 00224B76
ATAPI, xrefs: 00224C91
Removable, xrefs: 00224C10, 00224C15
SCSI, xrefs: 00224C8A
Network, xrefs: 00224C02
SAS, xrefs: 00224CC9
Fixed, xrefs: 00224C09
CDROM, xrefs: 00224BFB
FileBackedVirtual, xrefs: 00224CEC
MMC, xrefs: 00224CDE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0274146051c978f02bf4ab68afa144ff2dcfc197f82adad935f34bfddc475d71
Instruction ID: 78a47ebf4a0a72566d02e02ee9af7d452ef26247b735143fd9490129711a07ec
Opcode Fuzzy Hash: 0274146051c978f02bf4ab68afa144ff2dcfc197f82adad935f34bfddc475d71
Instruction Fuzzy Hash: 3A610630631516FBCB15FFA8EA89DAC77A0AB15304B208117F80AAB651DFB1DD71DB41

Function 002473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00247421
SetTextColor.GDI32(?,?), ref: 00247425
GetSysColorBrush.USER32(0000000F), ref: 0024743B
GetSysColor.USER32(0000000F), ref: 00247446
CreateSolidBrush.GDI32(?), ref: 0024744B
GetSysColor.USER32(00000011), ref: 00247463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
SelectObject.GDI32(?,00000000), ref: 00247482
SetBkColor.GDI32(?,00000000), ref: 0024748B
SelectObject.GDI32(?,?), ref: 00247498
InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0024752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00247554
InflateRect.USER32(?,000000FD,000000FD), ref: 00247572
DrawFocusRect.USER32(?,?), ref: 0024757D
GetSysColor.USER32(00000011), ref: 0024758E
SetTextColor.GDI32(?,00000000), ref: 00247596
DrawTextW.USER32(?,002470F5,000000FF,?,00000000), ref: 002475A8
SelectObject.GDI32(?,?), ref: 002475BF
DeleteObject.GDI32(?), ref: 002475CA
SelectObject.GDI32(?,?), ref: 002475D0
DeleteObject.GDI32(?), ref: 002475D5
SetTextColor.GDI32(?,?), ref: 002475DB
SetBkColor.GDI32(?,?), ref: 002475E5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 872b2fbddb8b069fc720678789f6f245cb45559072ab858e82e5786a73dfface
Instruction ID: c95b054ad0edc27fc79f1f8ded5dbd940df40a0e2b1e8e2dcdecda9992fd4293
Opcode Fuzzy Hash: 872b2fbddb8b069fc720678789f6f245cb45559072ab858e82e5786a73dfface
Instruction Fuzzy Hash: 98618D76901218AFDF059FA8EC48EEEBFB9EB09320F214115F915BB2A1D7709950CF90

Function 00240FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00241128
GetDesktopWindow.USER32 ref: 0024113D
GetWindowRect.USER32(00000000), ref: 00241144
GetWindowLongW.USER32(?,000000F0), ref: 00241199
DestroyWindow.USER32(?), ref: 002411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0024120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0024121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00241232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00241245
IsWindowVisible.USER32(00000000), ref: 002412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002412D0
GetWindowRect.USER32(00000000,?), ref: 002412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0024130E
GetMonitorInfoW.USER32(00000000,?), ref: 00241328
CopyRect.USER32(?,?), ref: 0024133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002413AA

Strings

tooltips_class32, xrefs: 002411E6
(, xrefs: 0024131B
0, xrefs: 002410D3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction ID: 637eb4d2c7dfd4ce507133a0e8b6a44c462ddddde7990ff51f3b13c8bf78590f
Opcode Fuzzy Hash: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction Fuzzy Hash: 17B19F71618341AFD714DF64D888BAEBBE4FF85350F00891CF9999B261C771E8A4CB92

Function 00240241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002402E5
_wcslen.LIBCMT ref: 0024031F
_wcslen.LIBCMT ref: 00240389
_wcslen.LIBCMT ref: 002403F1
_wcslen.LIBCMT ref: 00240475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00240504

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

Part of subcall function 0021223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00212258
Part of subcall function 0021223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0021228A

Strings

GETSELECTED, xrefs: 002405E1
SELECT, xrefs: 00240548
GETTEXT, xrefs: 002403EC, 00240407
DESELECT, xrefs: 0024059C
GETSUBITEMCOUNT, xrefs: 00240384, 0024039F
GETSELECTEDCOUNT, xrefs: 00240470, 0024048B
SELECTALL, xrefs: 00240515
SELECTCLEAR, xrefs: 0024052D
GETITEMCOUNT, xrefs: 00240316, 00240337
VIEWCHANGE, xrefs: 00240675
SELECTINVERT, xrefs: 0024057E
ISSELECTED, xrefs: 002404DD
FINDITEM, xrefs: 00240627

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ceda8b032ea4167727bf5c1290fd1fc7a028648494f973f9287602f37b440136
Instruction ID: 44d82011c00c2b3c85634ca5972f711c43aca066316ed27848f446f51ff591d7
Opcode Fuzzy Hash: ceda8b032ea4167727bf5c1290fd1fc7a028648494f973f9287602f37b440136
Instruction Fuzzy Hash: FDE1B1312282018FC728DF24C49196EB7E6FFE8714F14895DF9969B2A1D730ED95CB41

Function 001C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C8968
GetSystemMetrics.USER32(00000007), ref: 001C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C899B
GetSystemMetrics.USER32(00000008), ref: 001C89A3
GetSystemMetrics.USER32(00000004), ref: 001C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001C8A5A
GetStockObject.GDI32(00000011), ref: 001C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001C8A81

Part of subcall function 001C912D: GetCursorPos.USER32(?), ref: 001C9141
Part of subcall function 001C912D: ScreenToClient.USER32(00000000,?), ref: 001C915E
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000001), ref: 001C9183
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000002), ref: 001C919D

SetTimer.USER32(00000000,00000000,00000028,001C90FC), ref: 001C8AA8

Strings

AutoIt v3 GUI, xrefs: 001C8A20

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 3b9414491ed7c5b5a8154f3ab4f391fa0cbe84496def05e9743341195564ae2f
Instruction ID: cc1b2412b02903e61bf42b64b6435610a61a8e82f3dd62e2246bd14777c7852c
Opcode Fuzzy Hash: 3b9414491ed7c5b5a8154f3ab4f391fa0cbe84496def05e9743341195564ae2f
Instruction Fuzzy Hash: 9AB18E35A0120AAFDB14DFA8DC89FAE7BB5FB48314F114219FA15A72D0DB34E861CB51

Function 00210D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210E29
GetLengthSid.ADVAPI32(?), ref: 00210E40
GetAce.ADVAPI32(?,00000000,?), ref: 00210E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210E96
GetLengthSid.ADVAPI32(?), ref: 00210EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210EB5
HeapAlloc.KERNEL32(00000000), ref: 00210EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210EDD
CopySid.ADVAPI32(00000000), ref: 00210EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F6E
HeapFree.KERNEL32(00000000), ref: 00210F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F7E
HeapFree.KERNEL32(00000000), ref: 00210F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F8E
HeapFree.KERNEL32(00000000), ref: 00210F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00210FA1
HeapFree.KERNEL32(00000000), ref: 00210FA8

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction ID: 453f19c41594488aa5121c04f109859ac183fa97beeb52fc56abc8ebcaad47dc
Opcode Fuzzy Hash: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction Fuzzy Hash: CE719E7190120AEBDF209FA5EC89FEEBBB8BF15300F144125F918E6191DB709996CB60

Function 0023C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0024CC08,00000000,?,00000000,?,?), ref: 0023C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0023C5A4
_wcslen.LIBCMT ref: 0023C5F4
_wcslen.LIBCMT ref: 0023C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0023C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0023C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0023C84D
RegCloseKey.ADVAPI32(?), ref: 0023C881
RegCloseKey.ADVAPI32(00000000), ref: 0023C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0023C960

Strings

REG_EXPAND_SZ, xrefs: 0023C5CD
REG_DWORD, xrefs: 0023C804
REG_QWORD, xrefs: 0023C8C3
REG_SZ, xrefs: 0023C644
REG_BINARY, xrefs: 0023C913
REG_MULTI_SZ, xrefs: 0023C6F5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c7e664d708bbc6a7ba86aa2651316058e1c32149b04b3bf410c011e5814dc2ca
Instruction ID: 3191f8fc983922843e575ba1867f9aa6327a5f173dbd4b2ce052c6253787040b
Opcode Fuzzy Hash: c7e664d708bbc6a7ba86aa2651316058e1c32149b04b3bf410c011e5814dc2ca
Instruction Fuzzy Hash: 341279752142019FC725DF24D881B6AB7E5FF88714F14889DF88AAB3A2DB31ED41CB91

Function 0024091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002409C6
_wcslen.LIBCMT ref: 00240A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00240A54
_wcslen.LIBCMT ref: 00240A8A
_wcslen.LIBCMT ref: 00240B06
_wcslen.LIBCMT ref: 00240B81

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

Part of subcall function 00212BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00212BFA

Strings

GETITEMCOUNT, xrefs: 00240C1E
EXPAND, xrefs: 00240BF8
GETSELECTED, xrefs: 00240C4E
CHECK, xrefs: 00240A85, 00240AA0
SELECT, xrefs: 00240D11
GETTEXT, xrefs: 00240C97
COLLAPSE, xrefs: 00240B01, 00240B1C
GETTOTALCOUNT, xrefs: 002409F2, 00240A17
ISCHECKED, xrefs: 00240CE1
UNCHECK, xrefs: 00240D3E
EXISTS, xrefs: 00240B7C, 00240B97

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction ID: ff3289be5f324cb407e500faf7a3525a23ea0c7072bc8db33269e0d0bb1484b5
Opcode Fuzzy Hash: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction Fuzzy Hash: 7CE19031228702CFC718DF25C49196AB7E1FFA8318B14895DF9969B3A2D730ED95CB81

Function 0023C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
_wcslen.LIBCMT ref: 0023C9F1
_wcslen.LIBCMT ref: 0023CA68
_wcslen.LIBCMT ref: 0023CA9E
_wcslen.LIBCMT ref: 0023CAF9
_wcslen.LIBCMT ref: 0023CB2F
_wcslen.LIBCMT ref: 0023CB7F

Strings

HKCC, xrefs: 0023CBAC
HKEY_CURRENT_USER, xrefs: 0023CBBD
HKEY_USERS, xrefs: 0023CBDF
HKEY_LOCAL_MACHINE, xrefs: 0023CA62, 0023CA67
HKEY_CURRENT_CONFIG, xrefs: 0023CB79, 0023CB7E
HKEY_CLASSES_ROOT, xrefs: 0023CAF3, 0023CAF8
HKCR, xrefs: 0023CB29, 0023CB2E
HKU, xrefs: 0023CBF0
HKLM, xrefs: 0023CA98, 0023CA9D
HKCU, xrefs: 0023CBCE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction ID: f863c96155db8fbef13fb79996d5df50cfaa2d5bc2d068f3f732d002205cdc64
Opcode Fuzzy Hash: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction Fuzzy Hash: 9F71E2B263012B8BCB20DE6CCD515BE7396AB70758F314529F856B7284EB31CD65C3A0

Function 0024833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024835A
_wcslen.LIBCMT ref: 0024836E
_wcslen.LIBCMT ref: 00248391
_wcslen.LIBCMT ref: 002483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00245BF2), ref: 0024844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248501
FreeLibrary.KERNEL32(?), ref: 0024850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0024851D
DestroyIcon.USER32(?,?,?,?,?,00245BF2), ref: 0024852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00248549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00248555

Strings

.dll, xrefs: 002483AB
.icl, xrefs: 00248368
.exe, xrefs: 00248388

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction ID: 3d86fa4ac5e74ab2a9d74534d540c6f87d0bd264d2f8d40a1d0ac63f7c816c64
Opcode Fuzzy Hash: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction Fuzzy Hash: 2E610571920216BFEB18CF64DC85BBE77ACBF08710F104509F815DA1D1DBB499A0CBA0

Function 001B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 001F519A
#requireadmin, xrefs: 001B77FF
Unterminated group of comments, xrefs: 001F528C
#include, xrefs: 001B7847
#ce, xrefs: 001B78ED
#pragma compile, xrefs: 001B77D3
#cs, xrefs: 001B7873, 001B78C5
Cannot parse #include, xrefs: 001F5279
#include-once, xrefs: 001B782F
#OnAutoItStartRegister, xrefs: 001B7817
", xrefs: 001F5153
', xrefs: 001F5169
#notrayicon, xrefs: 001B77E7
#comments-start, xrefs: 001B785F, 001B78B1
#comments-end, xrefs: 001B78D9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e265226c7e21597f0b0f675fa5ad7a5789629fd46cc59fb34194b1b7ec930da5
Instruction ID: a70f28ea29c76758f53dd9e37cc4541ac1b111cad1942b557d66b3bc147c3503
Opcode Fuzzy Hash: e265226c7e21597f0b0f675fa5ad7a5789629fd46cc59fb34194b1b7ec930da5
Instruction Fuzzy Hash: E5812971604609BBDB24BF60DC46FFE37A9AFA5300F054025FA05AB1D6EB70D912DB91

Function 00223E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00223EF8
_wcslen.LIBCMT ref: 00223F03
_wcslen.LIBCMT ref: 00223F5A
_wcslen.LIBCMT ref: 00223F98
GetDriveTypeW.KERNEL32(?), ref: 00223FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0022401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00224059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00224087

Strings

wait, xrefs: 00224044
set cd door , xrefs: 00224028
close cd wait, xrefs: 00224072
closed, xrefs: 00223F08, 00223F2D, 00223F46, 00223F7E, 00223F97
close, xrefs: 00223EFE, 00223F18
open , xrefs: 00223FE5
type cdaudio alias cd wait, xrefs: 00224001
open, xrefs: 00223F54, 00223F59

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 8c2cd1964714d3c53f9acca960ebae9107c18f60c274699bc5f84bd5273c4ccb
Instruction ID: b27e5867c895f78ace1e12875d9ad5ebe36acca8ac2e0f72757b70a7ac50df8e
Opcode Fuzzy Hash: 8c2cd1964714d3c53f9acca960ebae9107c18f60c274699bc5f84bd5273c4ccb
Instruction Fuzzy Hash: 84710332614312AFC310EF24E8808AAB7F4FFA4758F10492DF99597251EB34DE59CB91

Function 00215A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00215A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00215A40
SetWindowTextW.USER32(?,?), ref: 00215A57
GetDlgItem.USER32(?,000003EA), ref: 00215A6C
SetWindowTextW.USER32(00000000,?), ref: 00215A72
GetDlgItem.USER32(?,000003E9), ref: 00215A82
SetWindowTextW.USER32(00000000,?), ref: 00215A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00215AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00215AC3
GetWindowRect.USER32(?,?), ref: 00215ACC
_wcslen.LIBCMT ref: 00215B33
SetWindowTextW.USER32(?,?), ref: 00215B6F
GetDesktopWindow.USER32 ref: 00215B75
GetWindowRect.USER32(00000000), ref: 00215B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00215BD3
GetClientRect.USER32(?,?), ref: 00215BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00215C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00215C2F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction ID: cafc013e1e4d4c1721260d12b6f0905ec29dac560a21e513877eef58a1d34880
Opcode Fuzzy Hash: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction Fuzzy Hash: 2871A031910B1AEFCB20DFA8CD89AAEBBF5FF98704F104558E142A21A4D775E990CF50

Function 0022FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0022FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0022FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0022FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0022FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0022FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0022FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0022FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0022FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0022FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0022FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0022FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0022FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0022FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0022FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0022FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0022FECC
GetCursorInfo.USER32(?), ref: 0022FEDC
GetLastError.KERNEL32 ref: 0022FF1E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 67af4c222aeebd8744496a84b9d8aac7e585351721741e4c5cccee937e28f61f
Instruction ID: 410c76f90102193ccbbefd9563b4fa44507a2b11652fc383dd16b280a6080daa
Opcode Fuzzy Hash: 67af4c222aeebd8744496a84b9d8aac7e585351721741e4c5cccee937e28f61f
Instruction Fuzzy Hash: 564170B0D0431A6ADB509FBA9D8985EBFF8BF04314B50413AE11CEB281DB78A8018E90

Function 002130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021318D
_wcslen.LIBCMT ref: 002131F8

Strings

TEXT, xrefs: 0021347C
NAME, xrefs: 00213335, 00213346
CLASS, xrefs: 00213188, 002131A5
REGEXPCLASS, xrefs: 00213255, 00213266
[', xrefs: 0021339A
INSTANCE, xrefs: 00213453
CLASSNN, xrefs: 002131F3, 00213204

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$['
API String ID: 176396367-1161093653
Opcode ID: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction ID: bedc71f2379769c7d5acb46b9ff1f6749f869e1fc8798f31b8e4a07b05508112
Opcode Fuzzy Hash: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction Fuzzy Hash: 39E1F532A20516ABCB18DF68C4516EDFBF6BF34710F54812AE456E7240DB70AEE5C790

Function 001D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001D00C6

Part of subcall function 001D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0028070C,00000FA0,082FC4E1,?,?,?,?,001F23B3,000000FF), ref: 001D011C
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0127
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0138
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001D014E
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001D015C
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001D016A
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D0195
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D01A0

___scrt_fastfail.LIBCMT ref: 001D00E7

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

Strings

SleepConditionVariableCS, xrefs: 001D0154
WakeAllConditionVariable, xrefs: 001D0162
InitializeConditionVariable, xrefs: 001D0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001D0122
kernel32.dll, xrefs: 001D0133

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction ID: e16bc757f1e7f881b724917a1ebc8c83ba4b559205892fdde4de08e307b6ab1d
Opcode Fuzzy Hash: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction Fuzzy Hash: 52210836A46710ABE7566BA8BC4DF6A73D4EB5EB51F11013BF805E2391DB70DC008AA0

Function 002244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0024CC08), ref: 00224527
_wcslen.LIBCMT ref: 0022453B
_wcslen.LIBCMT ref: 00224599
_wcslen.LIBCMT ref: 002245F4
_wcslen.LIBCMT ref: 0022463F
_wcslen.LIBCMT ref: 002246A7

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

GetDriveTypeW.KERNEL32(?,00276BF0,00000061), ref: 00224743

Strings

removable, xrefs: 002245EA, 002245EF
network, xrefs: 0022469D, 002246A2
fixed, xrefs: 00224635, 0022463A
all, xrefs: 00224531, 00224536
unknown, xrefs: 00224708
ramdisk, xrefs: 002246F1
cdrom, xrefs: 0022458F, 00224594

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 93e4cd8ef3913dbd60dbc7380e9701d6694e40fa36dbf400185445141b276b76
Instruction ID: 37ae94d9bbafb2168af25778fafcb330e53fca78d9c4d6c2e2b15e062e7e8716
Opcode Fuzzy Hash: 93e4cd8ef3913dbd60dbc7380e9701d6694e40fa36dbf400185445141b276b76
Instruction Fuzzy Hash: B7B13531628322AFC710EF68E890A7EB7E5BFA6724F50491DF496C7291D730D864CB52

Function 0024911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00249147

Part of subcall function 00247674: ClientToScreen.USER32(?,?), ref: 0024769A
Part of subcall function 00247674: GetWindowRect.USER32(?,?), ref: 00247710
Part of subcall function 00247674: PtInRect.USER32(?,?,00248B89), ref: 00247720

SendMessageW.USER32(?,000000B0,?,?), ref: 002491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00249225
SendMessageW.USER32(?,000000B0,?,?), ref: 0024923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00249255
SendMessageW.USER32(?,000000B1,?,?), ref: 00249277
DragFinish.SHELL32(?), ref: 0024927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00249371

Strings

p#(, xrefs: 002492BB
@GUI_DROPID, xrefs: 0024929E
@GUI_DRAGID, xrefs: 002492E9
@GUI_DRAGFILE, xrefs: 00249320

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#(
API String ID: 221274066-1174176935
Opcode ID: f766f7371d3aa884714119bba6381c33fefe991f451cb7e9392bac650a725e1d
Instruction ID: e0d7282aa567043e954ef243a38fdd2a25194b486d3026c3009149cb718eee0d
Opcode Fuzzy Hash: f766f7371d3aa884714119bba6381c33fefe991f451cb7e9392bac650a725e1d
Instruction Fuzzy Hash: 65619871108301AFC305EF64DC89DAFBBE8EF99750F10092EF995921A0DB709A59CB92

Function 00233FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0024CC08), ref: 002340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0024CC08), ref: 002340F2
FreeLibrary.KERNEL32(00000000,?,0024CC08), ref: 0023413E
StringFromGUID2.OLE32(?,?,00000028,?,0024CC08), ref: 002341A8
SysFreeString.OLEAUT32(00000009), ref: 00234262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002342C8
SysFreeString.OLEAUT32(?), ref: 002342F2

Strings

kernel32.dll, xrefs: 002340B6
GetModuleHandleExW, xrefs: 002340C7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a1af24f3f3cad688418e4bc87c57718bba5831eec460d5fafceb17eae79e9914
Instruction ID: ede847041989765a11573cfde95a5394e36b15f030eca8acc4cb69439fe248d7
Opcode Fuzzy Hash: a1af24f3f3cad688418e4bc87c57718bba5831eec460d5fafceb17eae79e9914
Instruction Fuzzy Hash: BD1239B5A10205EFDB14DF94C884EAEBBB9FF45314F248099E909AB251C731FD52CBA0

Function 001B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00281990), ref: 001F2F8D
GetMenuItemCount.USER32(00281990), ref: 001F303D
GetCursorPos.USER32(?), ref: 001F3081
SetForegroundWindow.USER32(00000000), ref: 001F308A
TrackPopupMenuEx.USER32(00281990,00000000,?,00000000,00000000,00000000), ref: 001F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001F30A9

Strings

0, xrefs: 001B327D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2b4bddc3fd8107d7e5094322c2db529b85479f089fcbe61b1f2af02dc93ad141
Instruction ID: 73fd9e257beca4bc953a0bbf5c8e73ce1de4c711a34b9650e8a52f0eec7d834d
Opcode Fuzzy Hash: 2b4bddc3fd8107d7e5094322c2db529b85479f089fcbe61b1f2af02dc93ad141
Instruction Fuzzy Hash: 3671FC70641209BEEB258F68DC49FEABF64FF05364F204216F625AA1D1C7B1AD60DB90

Function 00246CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00246DEB

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00246E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00246E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246E94
DestroyWindow.USER32(?), ref: 00246EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001B0000,00000000), ref: 00246EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246EFD
GetDesktopWindow.USER32 ref: 00246F16
GetWindowRect.USER32(00000000), ref: 00246F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00246F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00246F4D

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

Strings

tooltips_class32, xrefs: 00246E58, 00246EDD
0, xrefs: 00246D98

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction ID: ca920b9645be6ad03f6fa36d106eafec4a8789de188294686053a8fb7a0ed36d
Opcode Fuzzy Hash: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction Fuzzy Hash: 51716D74114341AFDB29CF18E848EA6BBE9FB8A304F14441DF99987261C771A91ACB12

Function 0022C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0022C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0022C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0022C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C5F0
InternetCloseHandle.WININET(00000000), ref: 0022C5FB

Strings

, xrefs: 0022C575

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction ID: 7493dc16f6aa985d18119a75e45ed99f127bd3f1bd66a56e41d0a3e8260dbb98
Opcode Fuzzy Hash: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction Fuzzy Hash: CA518BB4110619BFDB219FA4ED88AAF7BFCFF09354F20441AF945A6210DB74E924DB60

Function 0024856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00248592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485BA
GlobalLock.KERNEL32(00000000), ref: 002485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485D7
GlobalUnlock.KERNEL32(00000000), ref: 002485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0024FC38,?), ref: 00248611
GlobalFree.KERNEL32(00000000), ref: 00248621
GetObjectW.GDI32(?,00000018,?), ref: 00248641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00248671
DeleteObject.GDI32(?), ref: 00248699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002486AF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction ID: b043049b0dc04346f42896d53f9e8cd942e8831ceba4e0ec676bdf7ea1d2993d
Opcode Fuzzy Hash: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction Fuzzy Hash: 32412B75611205AFDB55DFA9DC4CEAE7BBCEF8AB11F114058F909E7260DB709901CB20

Function 002214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00221502
VariantCopy.OLEAUT32(?,?), ref: 0022150B
VariantClear.OLEAUT32(?), ref: 00221517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00221657
VariantInit.OLEAUT32(?), ref: 00221708
SysFreeString.OLEAUT32(?), ref: 0022178C
VariantClear.OLEAUT32(?), ref: 002217D8
VariantClear.OLEAUT32(?), ref: 002217E7
VariantInit.OLEAUT32(00000000), ref: 00221823

Strings

Default, xrefs: 002216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00221625

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b85aeeb87eca414f94c72160f8f0a422844fda64514d616f374e79f14f014f01
Instruction ID: 33d4c7d1c25eda0e86a973d0267ad0153fef9f4ff8d4fbfc5c73b894aab90bb6
Opcode Fuzzy Hash: b85aeeb87eca414f94c72160f8f0a422844fda64514d616f374e79f14f014f01
Instruction Fuzzy Hash: 34D1CF71A20225EBDB109FA5E885FB9B7B5BF65700F60809AF406AB180DB70DC71DB61

Function 0023B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0023B80A
RegCloseKey.ADVAPI32(?), ref: 0023B87E
RegCloseKey.ADVAPI32(?), ref: 0023B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0023B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0023B922
FreeLibrary.KERNEL32(00000000), ref: 0023B983
RegCloseKey.ADVAPI32(00000000), ref: 0023B994

Strings

advapi32.dll, xrefs: 0023B8ED
RegDeleteKeyExW, xrefs: 0023B8FE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1021918b6220015177b5548e9f39b572e3eda75e25c0dc1ff72e35c6e0fa9f61
Instruction ID: 00b33d6b89ed187847007b9f62d0fdadced01b0a5fbb67d2357976750793b978
Opcode Fuzzy Hash: 1021918b6220015177b5548e9f39b572e3eda75e25c0dc1ff72e35c6e0fa9f61
Instruction Fuzzy Hash: 5FC18B75214202AFD711DF18C495F6ABBE5FF84308F24849CF69A8B2A2CB71EC45CB91

Function 0023255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002325E8
CreateCompatibleDC.GDI32(?), ref: 002325F4
SelectObject.GDI32(00000000,?), ref: 00232601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0023266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002326D0
SelectObject.GDI32(?,?), ref: 002326D8
DeleteObject.GDI32(?), ref: 002326E1
DeleteDC.GDI32(?), ref: 002326E8
ReleaseDC.USER32(00000000,?), ref: 002326F3

Strings

(, xrefs: 0023268D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a037bb29e959b4a6765282125f72b8344e216a7322a03b64ff22b500dc16f50e
Instruction ID: a7d46dd2f288788500101e04991f131855e1f88b03fd6a95453f2319c70eddf6
Opcode Fuzzy Hash: a037bb29e959b4a6765282125f72b8344e216a7322a03b64ff22b500dc16f50e
Instruction Fuzzy Hash: 5C61F3B5D11219EFCF04CFA8D885EAEBBB9FF48310F208529E959A7250D770A951CF50

Function 001EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001EDAA1

Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED659
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED66B
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED67D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED68F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6A1
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6B3
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6C5
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6D7
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6E9
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6FB
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED70D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED71F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED731

_free.LIBCMT ref: 001EDA96

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001EDAB8
_free.LIBCMT ref: 001EDACD
_free.LIBCMT ref: 001EDAD8
_free.LIBCMT ref: 001EDAFA
_free.LIBCMT ref: 001EDB0D
_free.LIBCMT ref: 001EDB1B
_free.LIBCMT ref: 001EDB26
_free.LIBCMT ref: 001EDB5E
_free.LIBCMT ref: 001EDB65
_free.LIBCMT ref: 001EDB82
_free.LIBCMT ref: 001EDB9A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction ID: 6226d0d098318982a14b1d1415d21a4421928ed2f58b0d42cdc3c93da7b6f376
Opcode Fuzzy Hash: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction Fuzzy Hash: 23318D31604B889FEB25AA3AF846B5EB7E8FF61314F125429E458D7192EF35ED40C720

Function 0021365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0021369C
_wcslen.LIBCMT ref: 002136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00213797
GetClassNameW.USER32(?,?,00000400), ref: 0021380C
GetDlgCtrlID.USER32(?), ref: 0021385D
GetWindowRect.USER32(?,?), ref: 00213882
GetParent.USER32(?), ref: 002138A0
ScreenToClient.USER32(00000000), ref: 002138A7
GetClassNameW.USER32(?,?,00000100), ref: 00213921
GetWindowTextW.USER32(?,?,00000400), ref: 0021395D

Strings

%s%u, xrefs: 00213734

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b977841c9a8ccfcafd47798db661826edb64da5c4ae95fb42790d55549334f63
Instruction ID: 38579a3cc89ab395ca69347fe948bd402fba1046348a299942d1b62aae4ef309
Opcode Fuzzy Hash: b977841c9a8ccfcafd47798db661826edb64da5c4ae95fb42790d55549334f63
Instruction Fuzzy Hash: 7F91D071214607AFD718DF24C884BEAF7EAFF64310F108529F999D2190DB30AAA5CB91

Function 00214954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00214994
GetWindowTextW.USER32(?,?,00000400), ref: 002149DA
_wcslen.LIBCMT ref: 002149EB
CharUpperBuffW.USER32(?,00000000), ref: 002149F7
_wcsstr.LIBVCRUNTIME ref: 00214A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00214A64
GetWindowTextW.USER32(?,?,00000400), ref: 00214A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00214AE6
GetClassNameW.USER32(?,?,00000400), ref: 00214B20
GetWindowRect.USER32(?,?), ref: 00214B8B

Strings

ThumbnailClass, xrefs: 00214A6F, 00214AF1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 499f4a9d32af5780d6d0c62d10a1772e83bf68556aa09a9fd98f8e985b801ebf
Instruction ID: d55962fa9efa30eda4bc72f725f6e693c087af852f152f18da3081170258ee8b
Opcode Fuzzy Hash: 499f4a9d32af5780d6d0c62d10a1772e83bf68556aa09a9fd98f8e985b801ebf
Instruction Fuzzy Hash: 9491E6714182069FDB04EF14C885FEA77E8FFA4314F04846AFD899A195DB30ED95CBA1

Function 00248D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00248D5A
GetFocus.USER32 ref: 00248D6A
GetDlgCtrlID.USER32(00000000), ref: 00248D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00248E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00248ECF
GetMenuItemCount.USER32(?), ref: 00248EEC
GetMenuItemID.USER32(?,00000000), ref: 00248EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00248F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00248F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00248FA1

Strings

0, xrefs: 00248E9F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 5490db426b0a75d948ef6b4ca4b7d7262b77113fec91279b09303189e797c768
Instruction ID: a2b57567d4dcd73dcabab47598acf42912a1700b3e0c7c0d590f4b47107273df
Opcode Fuzzy Hash: 5490db426b0a75d948ef6b4ca4b7d7262b77113fec91279b09303189e797c768
Instruction Fuzzy Hash: 8681E2716243029FD718CF24D888AAF7BE9FF99714F10051DF98497291DB70D915CB62

Function 0021BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00281990,000000FF,00000000,00000030), ref: 0021BFAC
SetMenuItemInfoW.USER32(00281990,00000004,00000000,00000030), ref: 0021BFE1
Sleep.KERNEL32(000001F4), ref: 0021BFF3
GetMenuItemCount.USER32(?), ref: 0021C039
GetMenuItemID.USER32(?,00000000), ref: 0021C056
GetMenuItemID.USER32(?,-00000001), ref: 0021C082
GetMenuItemID.USER32(?,?), ref: 0021C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0021C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0021C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0021C145

Strings

0, xrefs: 0021BF3D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9c34ea7b327950a0bdeea4bec91fa5a80bc492d99cfe4e63d145cf4ccb37e262
Instruction ID: 94ed4479217ab19ac5adf61bc07d220fd8b0b152f9244b5703ebef7478f03123
Opcode Fuzzy Hash: 9c34ea7b327950a0bdeea4bec91fa5a80bc492d99cfe4e63d145cf4ccb37e262
Instruction Fuzzy Hash: 196193B895024AEFDF11CF68DC88AEE7BF8EB15344F204055F815A3291C771ADA5CB60

Function 0021DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0021DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0021DC46
_wcslen.LIBCMT ref: 0021DC50
_wcsstr.LIBVCRUNTIME ref: 0021DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0021DCBC

Strings

StringFileInfo\, xrefs: 0021DC8F
DefaultLangCodepage, xrefs: 0021DD1F
%u.%u.%u.%u, xrefs: 0021DD9A
04090000, xrefs: 0021DCF2
\VarFileInfo\Translation, xrefs: 0021DCB4

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a9211d524311057202c28f2d2c5d766064fc780441df9532f944afbb0d968436
Instruction ID: a4383155533918a1d6665c0a92298a850bde1041470b356048e625e7357f590d
Opcode Fuzzy Hash: a9211d524311057202c28f2d2c5d766064fc780441df9532f944afbb0d968436
Instruction Fuzzy Hash: CE411572A50205BBDB04AB64AC47FFF77ACDF76710F10406AF900A6283EB75D92187A5

Function 0023CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0023CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD48

Part of subcall function 0023CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0023CCAA
Part of subcall function 0023CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0023CCBD
Part of subcall function 0023CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023CCCF
Part of subcall function 0023CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD05
Part of subcall function 0023CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0023CCF3

Strings

advapi32.dll, xrefs: 0023CCB8
RegDeleteKeyExW, xrefs: 0023CCC9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction ID: 65dce5a3101846f573bd250dd2fd63110a448a4e3d3bce01931e5d1fd2c93db6
Opcode Fuzzy Hash: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction Fuzzy Hash: 163180B5A12129BBD7218F54DC8CEFFBB7CEF06750F200565B909E2240DA749A45DBA0

Function 00223D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00223D40
_wcslen.LIBCMT ref: 00223D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00223D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00223DBE
RemoveDirectoryW.KERNEL32(?), ref: 00223DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00223E55
CloseHandle.KERNEL32(00000000), ref: 00223E60
CloseHandle.KERNEL32(00000000), ref: 00223E6B

Strings

:, xrefs: 00223D82
\, xrefs: 00223D77
\??\%s, xrefs: 00223D5B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6357109bb0ded9e46af23d4fbfb1ae3cbb58556b4d0d833ac3260290665eaac1
Instruction ID: 7e908bb8b8546c042ee9ba8c5e55d0c1f356d459e84fe9e00ee27c2c473a2a36
Opcode Fuzzy Hash: 6357109bb0ded9e46af23d4fbfb1ae3cbb58556b4d0d833ac3260290665eaac1
Instruction Fuzzy Hash: 8031A376A1011ABBDB20DFA4EC49FEB37BCEF89700F1041A5F509D6150E77497548B24

Function 0021E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0021E6B4

Part of subcall function 001CE551: timeGetTime.WINMM(?,?,0021E6D4), ref: 001CE555

Sleep.KERNEL32(0000000A), ref: 0021E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0021E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0021E727
SetActiveWindow.USER32 ref: 0021E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0021E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0021E773
Sleep.KERNEL32(000000FA), ref: 0021E77E
IsWindow.USER32 ref: 0021E78A
EndDialog.USER32(00000000), ref: 0021E79B

Strings

BUTTON, xrefs: 0021E719

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction ID: c4d0492fa75bc82b517ab2e046fa09a7e75b892ac5e3e138c9294d627f24f854
Opcode Fuzzy Hash: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction Fuzzy Hash: B121D4B8212251EFFF005F24FC8DE667BEDF7A6349B254424FC05811A1EB719C648B10

Function 0021E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0021EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0021EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0021EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0021EAA7

Strings

play PlayMe wait, xrefs: 0021EA91
open , xrefs: 0021EA0C
close PlayMe, xrefs: 0021EA6E, 0021EA9B
alias PlayMe, xrefs: 0021EA36
status PlayMe mode, xrefs: 0021EA58
play PlayMe, xrefs: 0021EAA2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c8d7a16d04e64da5af5bc0091587a5b84b6764623025f7e270e62a41067429d0
Instruction ID: 631b575a2fac57cda5917ce7e49edd5b58daecb68e4aedc4eaf31793fcb71afc
Opcode Fuzzy Hash: c8d7a16d04e64da5af5bc0091587a5b84b6764623025f7e270e62a41067429d0
Instruction Fuzzy Hash: B6117731A6025979D710A761DC4EDFF6EBCEFE2F00F444425B915A20D1DF700955C5B0

Function 00219F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0021A012
SetKeyboardState.USER32(?), ref: 0021A07D
GetAsyncKeyState.USER32(000000A0), ref: 0021A09D
GetKeyState.USER32(000000A0), ref: 0021A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0021A0E3
GetKeyState.USER32(000000A1), ref: 0021A0F4
GetAsyncKeyState.USER32(00000011), ref: 0021A120
GetKeyState.USER32(00000011), ref: 0021A12E
GetAsyncKeyState.USER32(00000012), ref: 0021A157
GetKeyState.USER32(00000012), ref: 0021A165
GetAsyncKeyState.USER32(0000005B), ref: 0021A18E
GetKeyState.USER32(0000005B), ref: 0021A19C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b0f05e8b441e1a1bac08fe997adb03d969e6ae527becd1df3627eb4ba96e241a
Instruction ID: 2085e39e0a9382ae4fd486d7985d0d20415cca8c8e45dd527578269cbcd11dfe
Opcode Fuzzy Hash: b0f05e8b441e1a1bac08fe997adb03d969e6ae527becd1df3627eb4ba96e241a
Instruction Fuzzy Hash: CE511A2091538939FB31EF7088107EAAFF49F22380F088599D5C6575C2DA649ADCCB62

Function 00215CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00215CE2
GetWindowRect.USER32(00000000,?), ref: 00215CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00215D59
GetDlgItem.USER32(?,00000002), ref: 00215D69
GetWindowRect.USER32(00000000,?), ref: 00215D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00215DCF
GetDlgItem.USER32(?,000003E9), ref: 00215DDD
GetWindowRect.USER32(00000000,?), ref: 00215DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00215E31
GetDlgItem.USER32(?,000003EA), ref: 00215E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00215E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00215E67

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction ID: 2c20c6b3ea160d03886374d2e626c81285dbfe1e255b7cdc9ad5696c20d4bb5e
Opcode Fuzzy Hash: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction Fuzzy Hash: 58514E74B10615AFDF18CF68DD89AAEBBF9FB98300F208128F905E6290D7709E50CB50

Function 001C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001C8BE8,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8FC5

DestroyWindow.USER32(?), ref: 001C8C81
KillTimer.USER32(00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00206973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000), ref: 002069D4
DeleteObject.GDI32(00000000), ref: 002069E6

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction ID: ef17be26b1df8e0a766dddff4a015aba2b9e8d0bae6c34a4adcdc7d21226dadf
Opcode Fuzzy Hash: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction Fuzzy Hash: 5B61B934112701DFDB259F18E98CB6AB7B1FB61312F24441CE0429B9A0CB35ECA1DFA8

Function 001C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetSysColor.USER32(0000000F), ref: 001C9862

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction ID: adce8a2564826bdb0137e0d76bb4255f16374120ab9b5ed4e340e7d16b4f33b0
Opcode Fuzzy Hash: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction Fuzzy Hash: 07419E35505644AFDB205F38AC8CFB93BA5AB27330F244659F9A68B2E2C731DD42DB10

Function 002196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00219717
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219720

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00219742
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00219866

Strings

Line %d (File "%s"):, xrefs: 0021978F
Error: , xrefs: 0021981D
Line %d:, xrefs: 002197A0
%s (%d) : ==> %s: %s %s, xrefs: 0021984A
^ ERROR, xrefs: 002197FB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: be3827e604d58f1c5e1d37d57891ecee29c47267efd0a6bbdf6b62cb9f029068
Instruction ID: 54a24c927cc19622da41b2337615a56603653c4a86a9a489c799ff4e1c25e7f1
Opcode Fuzzy Hash: be3827e604d58f1c5e1d37d57891ecee29c47267efd0a6bbdf6b62cb9f029068
Instruction Fuzzy Hash: 22414172800219ABCF14EBE4DD96DEEB7B8AF65340F600065F60572092EB356F99CF61

Function 002106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00210804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0021082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00210837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0021083C

Strings

SOFTWARE\Classes\, xrefs: 0021070E
\CLSID, xrefs: 00210724
\IPC$, xrefs: 00210784

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c10ca84b372e2e051e82e213f266640f46f3367828c975ea1dadc688f8c6d453
Instruction ID: 50cf0ef6218cf9e30ae553eeecf21418d05a3bec939d1e21c573ee41ddf98941
Opcode Fuzzy Hash: c10ca84b372e2e051e82e213f266640f46f3367828c975ea1dadc688f8c6d453
Instruction Fuzzy Hash: 65413876C10229ABDF11EFA4DC85CEEB7B8BF24340B544129E901A71A0EB709E54CB90

Function 00243F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0024403B
CreateCompatibleDC.GDI32(00000000), ref: 00244042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00244055
SelectObject.GDI32(00000000,00000000), ref: 0024405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00244068
DeleteDC.GDI32(00000000), ref: 00244072
GetWindowLongW.USER32(?,000000EC), ref: 0024407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00244092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0024409E

Strings

static, xrefs: 00243FD3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0caabc57e319e22d193c95e2a13ab285ab2745c0080e0fe348b01eb1087c86a5
Instruction ID: af61cbb68fdde66ab07eae66d79018cad214de6d308ffd13cc19ee16c260a8bb
Opcode Fuzzy Hash: 0caabc57e319e22d193c95e2a13ab285ab2745c0080e0fe348b01eb1087c86a5
Instruction Fuzzy Hash: 83316F36512215ABDF25AFA8DC09FDA3B68FF1E724F110211FA19E61A0C775D820DB54

Function 00233C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00233C5C
CoInitialize.OLE32(00000000), ref: 00233C8A
CoUninitialize.OLE32 ref: 00233C94
_wcslen.LIBCMT ref: 00233D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00233DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00233ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00233F0E
CoGetObject.OLE32(?,00000000,0024FB98,?), ref: 00233F2D
SetErrorMode.KERNEL32(00000000), ref: 00233F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00233FC4
VariantClear.OLEAUT32(?), ref: 00233FD8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction ID: 1ddfb7c801ae78a155f84695929ee35e17b351769c74e92898e0b9d2306a0768
Opcode Fuzzy Hash: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction Fuzzy Hash: 24C166B16183059FD700DF68C88496BBBE9FF89748F10491DF98A9B220D770EE15CB52

Function 00227A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00227AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00227B8F
SHGetDesktopFolder.SHELL32(?), ref: 00227BA3
CoCreateInstance.OLE32(0024FD08,00000000,00000001,00276E6C,?), ref: 00227BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00227C74
CoTaskMemFree.OLE32(?,?), ref: 00227CCC
SHBrowseForFolderW.SHELL32(?), ref: 00227D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00227D7A
CoTaskMemFree.OLE32(00000000), ref: 00227D81
CoTaskMemFree.OLE32(00000000), ref: 00227DD6
CoUninitialize.OLE32 ref: 00227DDC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 454b6f9a9c74000564a377117ef1bec28b94593c7c3b273ab84dc5f2993de5dc
Instruction ID: cd001a73c38ea2e1797249d16a38ebc827d21094ce167b8652bfd952f4626254
Opcode Fuzzy Hash: 454b6f9a9c74000564a377117ef1bec28b94593c7c3b273ab84dc5f2993de5dc
Instruction Fuzzy Hash: A9C11B75A14119AFCB14DFA4D888DAEBBF9FF48304B148499F81A9B261D730ED41CB90

Function 0024541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00245504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00245515
CharNextW.USER32(00000158), ref: 00245544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00245585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0024559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002455AC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction ID: 6c4218c37c53487ecdd2259cb9912860c38e8aae803e205218ea8abb2e5ff842
Opcode Fuzzy Hash: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction Fuzzy Hash: F161C334925629EFDF188F54CC849FE7B79FF06320F108145F9A5AB292D7748AA0DB60

Function 0020FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0020FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0020FB08
VariantInit.OLEAUT32(?), ref: 0020FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0020FB3A
VariantCopy.OLEAUT32(?,?), ref: 0020FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0020FBA1
VariantClear.OLEAUT32(?), ref: 0020FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0020FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBCC
VariantClear.OLEAUT32(?), ref: 0020FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBE9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction ID: ad3150d60a9b3957c5b598f33dd8ad57e55c5a23e1110fe32b471436d110531d
Opcode Fuzzy Hash: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction Fuzzy Hash: CA418F34A10219DFCB50DFA8D9589AEBBB9EF08344F108069E905A7262DB30E945CFA0

Function 00219C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00219CA1
GetAsyncKeyState.USER32(000000A0), ref: 00219D22
GetKeyState.USER32(000000A0), ref: 00219D3D
GetAsyncKeyState.USER32(000000A1), ref: 00219D57
GetKeyState.USER32(000000A1), ref: 00219D6C
GetAsyncKeyState.USER32(00000011), ref: 00219D84
GetKeyState.USER32(00000011), ref: 00219D96
GetAsyncKeyState.USER32(00000012), ref: 00219DAE
GetKeyState.USER32(00000012), ref: 00219DC0
GetAsyncKeyState.USER32(0000005B), ref: 00219DD8
GetKeyState.USER32(0000005B), ref: 00219DEA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction ID: 5d93aa0374ed999909f105a1460034625b23b274c3413fc7236f3049a05f97ad
Opcode Fuzzy Hash: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction Fuzzy Hash: B34108346147CB69FF309F64D4243F5BEE0AB36304F48805ADAC6561C2D7A599E4C7A2

Function 0023055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002305BC
inet_addr.WSOCK32(?), ref: 0023061C
gethostbyname.WSOCK32(?), ref: 00230628
IcmpCreateFile.IPHLPAPI ref: 00230636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002307B9
WSACleanup.WSOCK32 ref: 002307BF

Strings

Ping, xrefs: 00230676

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 83c9060e0331d9b3dee82e860f9d96a94cdd6102d3e1f4775896cd50a9ee0a3d
Instruction ID: 950d2d4d89f9f151f47e2a4cbdf0ae918df4518ff86bf8680329cca60bc01013
Opcode Fuzzy Hash: 83c9060e0331d9b3dee82e860f9d96a94cdd6102d3e1f4775896cd50a9ee0a3d
Instruction Fuzzy Hash: E2919EB56142029FD320DF19D4D9F1ABBE4BF44318F1485A9F46A8B6A2C770EC51CFA1

Function 00238CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00238CF3

Part of subcall function 00218E54: _wcslen.LIBCMT ref: 00218E77

_wcslen.LIBCMT ref: 00238D4E
_wcslen.LIBCMT ref: 00238D9C
_wcslen.LIBCMT ref: 00238DDC
_wcslen.LIBCMT ref: 00238E6E

Strings

cdecl, xrefs: 00238D48, 00238D4D
winapi, xrefs: 00238D96, 00238D9B
none, xrefs: 00238E65, 00238E6A
stdcall, xrefs: 00238DD6, 00238DDB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction ID: f746c47d505dd879763a3f00f966177ffb5a0105262499a26b38a2bb15c34cc8
Opcode Fuzzy Hash: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction Fuzzy Hash: CD51A2B1A2021B9BCF14DF68C9508BEB7A5BF65724F204229F426EB284EB34DD51C790

Function 0023372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00233774
CoUninitialize.OLE32 ref: 0023377F
CoCreateInstance.OLE32(?,00000000,00000017,0024FB78,?), ref: 002337D9
IIDFromString.OLE32(?,?), ref: 0023384C
VariantInit.OLEAUT32(?), ref: 002338E4
VariantClear.OLEAUT32(?), ref: 00233936

Strings

Failed to create object, xrefs: 002337E4, 0023389A
Invalid parameter, xrefs: 00233865
NULL Pointer assignment, xrefs: 0023381E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3bd4bcf4b1e24bfe46d7e3539505e70617739105077da33a7467bdaaf1a766e2
Instruction ID: 9a9cf1c08fc9ad87e568bc6c51afe23ae844b4eb683c8a264875e6575a3f655b
Opcode Fuzzy Hash: 3bd4bcf4b1e24bfe46d7e3539505e70617739105077da33a7467bdaaf1a766e2
Instruction Fuzzy Hash: C261AEB0628301AFD311DF54D889FAABBE8EF59710F104919F9859B291C770EF58CB92

Function 00248B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Part of subcall function 001C912D: GetCursorPos.USER32(?), ref: 001C9141
Part of subcall function 001C912D: ScreenToClient.USER32(00000000,?), ref: 001C915E
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000001), ref: 001C9183
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000002), ref: 001C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00248B6B
ImageList_EndDrag.COMCTL32 ref: 00248B71
ReleaseCapture.USER32 ref: 00248B77
SetWindowTextW.USER32(?,00000000), ref: 00248C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00248C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00248CFF

Strings

@GUI_DROPID, xrefs: 00248C51
p#(, xrefs: 00248C71
@GUI_DRAGFILE, xrefs: 00248C9A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#(
API String ID: 1924731296-1228047575
Opcode ID: dcd0f8a8258a16f431ea726bf39c2424844eea832ec1698a14cf2fccf2b56176
Instruction ID: de124a8bb21c9258cfb6f69151ffc5a56301414093c5709ebbdda6ac72a6dc2e
Opcode Fuzzy Hash: dcd0f8a8258a16f431ea726bf39c2424844eea832ec1698a14cf2fccf2b56176
Instruction Fuzzy Hash: 4751AA75115204AFD708EF24DC9AFAE77E8FB88714F40062DF956A72E1CB709924CB62

Function 00223388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002233CF

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002233F0

Strings

Line %d (File "%s"):, xrefs: 00223443, 0022345C
Incorrect parameters to object property !, xrefs: 002234AB
^ ERROR , xrefs: 0022349E
Error: , xrefs: 002234D1
"%s" (%d) : ==> %s:, xrefs: 00223522
"%s" (%d) : ==> %s:%s%s, xrefs: 00223504

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ca076bf9c1af6f6f5787ca0b6ace62422a7e95adec2e5a3e10b8df2fdff88e08
Instruction ID: a23f06245e3bf6d3d8f45af465128491ffc760d8dbb05f2ec978758670b14de2
Opcode Fuzzy Hash: ca076bf9c1af6f6f5787ca0b6ace62422a7e95adec2e5a3e10b8df2fdff88e08
Instruction Fuzzy Hash: AE51B331900219BADF14EBE0DD56EEEB7B8AF24300F604065F109720A2DB356FA9DF60

Function 0021B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0021B5FC
_wcslen.LIBCMT ref: 0021B608
_wcslen.LIBCMT ref: 0021B64D
_wcslen.LIBCMT ref: 0021B68C
_wcslen.LIBCMT ref: 0021B6C7

Strings

REMOVE, xrefs: 0021B602, 0021B607
KEYS, xrefs: 0021B647, 0021B64C
EXISTS, xrefs: 0021B686, 0021B68B
APPEND, xrefs: 0021B6C1, 0021B6C6

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction ID: 0da9b7f8772edc1057f8c263f6203162c393d96e2374f822cb46c4c233c66730
Opcode Fuzzy Hash: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction Fuzzy Hash: F541D432A201679BCB216F7D88A05FEB7F9ABB0794B244129E425DB284E731CDD1C790

Function 0021BC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0021BCFD
IsMenu.USER32(00000000), ref: 0021BD1D
CreatePopupMenu.USER32 ref: 0021BD53
GetMenuItemCount.USER32(`L), ref: 0021BDA4
InsertMenuItemW.USER32(`L,?,00000001,00000030), ref: 0021BDCC

Strings

`L, xrefs: 0021BD2B, 0021BDA3
2, xrefs: 0021BD37
`L, xrefs: 0021BCE3, 0021BCBC, 0021BDCA
0, xrefs: 0021BCA8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2$`L$`L
API String ID: 93392585-1828259170
Opcode ID: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction ID: be9c64af493d05ef6560b951d34ad79be8ff2117aee1805cf96f5f206ec4b74a
Opcode Fuzzy Hash: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction Fuzzy Hash: EB51C47061020ADBDF1ACFA8E8C8BEDBBF4BF65314F244169E411E7290D7709991CB51

Function 00225393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00225416
GetLastError.KERNEL32 ref: 00225420
SetErrorMode.KERNEL32(00000000,READY), ref: 002254A7

Strings

UNKNOWN, xrefs: 00225444
INVALID, xrefs: 00225459
NOTREADY, xrefs: 0022544B
READONLY, xrefs: 00225452
READY, xrefs: 00225460, 00225468

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction ID: fa16c987fe6ba9d0a078796190268afcadf10dab2c1069145621d60cc4c8cf69
Opcode Fuzzy Hash: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction Fuzzy Hash: B7310535A10525AFC710EFA8E488AE9BBF4FF15305F14C056E505CB292D770DD92CB90

Function 00243C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00243C79
SetMenu.USER32(?,00000000), ref: 00243C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00243D10
IsMenu.USER32(?), ref: 00243D24
CreatePopupMenu.USER32 ref: 00243D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00243D5B
DrawMenuBar.USER32 ref: 00243D63

Strings

0, xrefs: 00243C54
F, xrefs: 00243D4E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction ID: ba0b167bfed50184ae3caf1ffc377cdbc6af0f3444983347927d3efbdd309e7a
Opcode Fuzzy Hash: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction Fuzzy Hash: 91417F79A12606EFDB18CF54E848ADE77B5FF49350F140029F956A7360D770AA20CF50

Function 00211EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00211F64
GetDlgCtrlID.USER32 ref: 00211F6F
GetParent.USER32 ref: 00211F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00211F8E
GetDlgCtrlID.USER32(?), ref: 00211F97
GetParent.USER32(?), ref: 00211FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00211FAE

Strings

ListBox, xrefs: 00211F21
ComboBox, xrefs: 00211EEC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 35239729798164f2e5031dd325c0b3110b08d7994de7613fd8b691a109b06d68
Instruction ID: e039d503c5363f87ca32ab865bfeaa707d435844f07626d7b37dc3c60d7c7849
Opcode Fuzzy Hash: 35239729798164f2e5031dd325c0b3110b08d7994de7613fd8b691a109b06d68
Instruction Fuzzy Hash: F1210474910218BFCF08AFA4DC84DFEBBB8EF26300F104105FA65A7291DB744969DB60

Function 00211FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00212043
GetDlgCtrlID.USER32 ref: 0021204E
GetParent.USER32 ref: 0021206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0021206D
GetDlgCtrlID.USER32(?), ref: 00212076
GetParent.USER32(?), ref: 0021208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0021208D

Strings

ListBox, xrefs: 00212002
ComboBox, xrefs: 00211FCD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0cdcec20101e57ff2d69968f8d1f7d971f83d0362bebc952256654fe1c92a175
Instruction ID: 68d66ef02de83f7a417b699aeef844a5aa6083b91db7467004f9826cbf0c8289
Opcode Fuzzy Hash: 0cdcec20101e57ff2d69968f8d1f7d971f83d0362bebc952256654fe1c92a175
Instruction Fuzzy Hash: 81212675910218BBCF08AFA4DC89EFEBFB8EF29300F104005F955A71A1DB754969DB60

Function 00243A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00243A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00243AA0
GetWindowLongW.USER32(?,000000F0), ref: 00243AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00243AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00243B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00243BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00243BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00243BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00243BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00243C13

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction ID: 158b2aefe43ce33b395076d9029ea1edc27416f39ea428bf9bf3c563a381eb1c
Opcode Fuzzy Hash: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction Fuzzy Hash: 90618A75A00208AFDB15DFA8CC85EEE77B8EB09704F10419AFA15E72A1C770AE56DF50

Function 001E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E2C94

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E2CA0
_free.LIBCMT ref: 001E2CAB
_free.LIBCMT ref: 001E2CB6
_free.LIBCMT ref: 001E2CC1
_free.LIBCMT ref: 001E2CCC
_free.LIBCMT ref: 001E2CD7
_free.LIBCMT ref: 001E2CE2
_free.LIBCMT ref: 001E2CED
_free.LIBCMT ref: 001E2CFB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction ID: 0b237517cfd4717270112ac57baedc0e3d240a8b56f5b724c15c804df5d94113
Opcode Fuzzy Hash: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction Fuzzy Hash: 9A11043610045CAFCB06EF56D892CDC3BA9FF15344F4250A0FA489F222DB35EE509B90

Function 00227DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00227FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00227FC1
GetFileAttributesW.KERNEL32(?), ref: 00227FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00228005
SetCurrentDirectoryW.KERNEL32(?), ref: 00228017
SetCurrentDirectoryW.KERNEL32(?), ref: 00228060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002280B0

Strings

*.*, xrefs: 00228066

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 076cfa81708648fd7d9f0f3d540dc1fca48d65313de9c88a4b14d3785e5a2ea1
Instruction ID: 4b43438d4c2f0c435422ae3650696bea4f1e3be0633c700eda9c4743c46c3c30
Opcode Fuzzy Hash: 076cfa81708648fd7d9f0f3d540dc1fca48d65313de9c88a4b14d3785e5a2ea1
Instruction Fuzzy Hash: 8481C17152C212ABCB20EF94D8449AEB3E8BF99310F154C6EF885C7250EB74DD55CBA2

Function 001B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001B5C7A

Part of subcall function 001B5D0A: GetClientRect.USER32(?,?), ref: 001B5D30
Part of subcall function 001B5D0A: GetWindowRect.USER32(?,?), ref: 001B5D71
Part of subcall function 001B5D0A: ScreenToClient.USER32(?,?), ref: 001B5D99

GetDC.USER32 ref: 001F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001F4708
SelectObject.GDI32(00000000,00000000), ref: 001F4716
SelectObject.GDI32(00000000,00000000), ref: 001F472B
ReleaseDC.USER32(?,00000000), ref: 001F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001F47C4

Strings

U, xrefs: 001F4693

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction ID: a9151392470a5ab0273beeccc94c520d83bd9ddd335f31b64d256bcbe5446197
Opcode Fuzzy Hash: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction Fuzzy Hash: 2071F134400209DFCF25DF64C984AFB7BBAFF4A360F284269EE559A2A6C3318841DF50

Function 0022359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

Line %d (File "%s"):, xrefs: 0022366B
Error: , xrefs: 002236EF
"%s" (%d) : ==> %s:, xrefs: 00223742
^ ERROR, xrefs: 002236C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00223724

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c950b8d737b197eddc66580419c71fd42bf2c3bade2ab20d9a6997849cb504ea
Instruction ID: 724a1a38a22bc7e7eca98f7ffe14f5cd37bb2485d8f9d8fce6bb561f63de517b
Opcode Fuzzy Hash: c950b8d737b197eddc66580419c71fd42bf2c3bade2ab20d9a6997849cb504ea
Instruction Fuzzy Hash: 5651817181021ABBCF14EBE0DC96EEEBB78AF24300F144165F105721A1DB355BA9DF60

Function 0022C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C2CA
GetLastError.KERNEL32 ref: 0022C322
SetEvent.KERNEL32(?), ref: 0022C336
InternetCloseHandle.WININET(00000000), ref: 0022C341

Strings

, xrefs: 0022C2BB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction ID: 9ed28aa6512852039613462d4c04f8608024dfccc738d4038b95d0280da6b2d5
Opcode Fuzzy Hash: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction Fuzzy Hash: 85319FB1510614BFD721DFA8AC88AAF7BFCEB49744B20891EF44697210DB70DD548B60

Function 0021989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001F3AAF,?,?,Bad directive syntax error,0024CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002198BC
LoadStringW.USER32(00000000,?,001F3AAF,?), ref: 002198C3

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00219987

Strings

Line %d (File "%s"):, xrefs: 0021992D
Error: , xrefs: 00219955
., xrefs: 0021996D
%s (%d) : ==> %s.: %s %s, xrefs: 002198F1
Line %d:, xrefs: 00219912

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 39415987737994fdd0b3e9a50b9fec106113cb3f32a4d0daf8abbefd94563701
Instruction ID: 56a04940102a2afc93b18488505f8d456e9172b8ea1fe5de1b9f85c27f136d01
Opcode Fuzzy Hash: 39415987737994fdd0b3e9a50b9fec106113cb3f32a4d0daf8abbefd94563701
Instruction Fuzzy Hash: BF219131C1021EBBCF15AF90CC1AEEE7B79FF29700F044459F519660A2EB719AA8DB10

Function 0021209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0021214D

Strings

largeicons, xrefs: 002120E1
list, xrefs: 0021212F
SHELLDLL_DefView, xrefs: 002120CC
details, xrefs: 002120FB
smallicons, xrefs: 00212115

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction ID: 3051592b9f18bf4e19a4371c430073c4c9f5e55aef3558c681dea36d4a54ac39
Opcode Fuzzy Hash: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction Fuzzy Hash: F1113A7A6A8717FBF605A620EC0ADFA73DCCB26324B205016FB0DA50D2FBB158B95514

Function 001E8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction ID: 992875fae9e2e0d7e7d18e04d67103ddd39cea4b22b696c918adcabb8534bb98
Opcode Fuzzy Hash: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction Fuzzy Hash: 68C13574D04689AFCF11DFAAD845BADBBB4BF19310F044199F919AB392CB308A41CB60

Function 001ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001ECEB7
_free.LIBCMT ref: 001ECF22
_free.LIBCMT ref: 001ECF48
_free.LIBCMT ref: 001ECF71
_free.LIBCMT ref: 001ECFA9
_free.LIBCMT ref: 001ECFDA
_free.LIBCMT ref: 001ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001ED09C
_free.LIBCMT ref: 001ED0B5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction ID: 9448131646a46eecf4e009993c7cb3aa7733c255ffdbfe6cd3dced690ce7c339
Opcode Fuzzy Hash: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction Fuzzy Hash: 65619872904BD0AFDB25AFB6AC95A6E7BE9EF12720F04416DF80197282D7319D0287D0

Function 002450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00245186
ShowWindow.USER32(?,00000000), ref: 002451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002451D1

Part of subcall function 00246FBA: DeleteObject.GDI32(00000000), ref: 00246FE6

GetWindowLongW.USER32(?,000000F0), ref: 0024520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0024521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0024524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00245287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00245296

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction ID: 3fd3372c7f3bc35e78e2e369ee3ccb4151081684f5a2983a7fd202c0c8182aad
Opcode Fuzzy Hash: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction Fuzzy Hash: D351C434A71A29BFEF289F24CC49BD93B65FB05321F144012F99D962E2C3B599A0DF41

Function 001C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00206890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00206901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0020691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0020692D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction ID: c79766a7a59a2e5de46d3c5623e713e3d79385858b19b39b82748e22eeb752dd
Opcode Fuzzy Hash: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction Fuzzy Hash: 3151677461030AAFDB248F28DC99FAA7BB5EB68750F104518F906972E0DB70EDA0DB50

Function 0022C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C182
GetLastError.KERNEL32 ref: 0022C195
SetEvent.KERNEL32(?), ref: 0022C1A9

Part of subcall function 0022C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
Part of subcall function 0022C253: GetLastError.KERNEL32 ref: 0022C322
Part of subcall function 0022C253: SetEvent.KERNEL32(?), ref: 0022C336
Part of subcall function 0022C253: InternetCloseHandle.WININET(00000000), ref: 0022C341

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction ID: 4e4faa33bd0ee99fcea85604f74e43310bc9d6f4efe8c933af47d59bc3963232
Opcode Fuzzy Hash: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction Fuzzy Hash: 3A319E75111611FFDB219FE9EC08A6ABBE8FF19300B20451EF95A87610DB71E8209BA0

Function 002125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00212601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00212605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0021260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00212623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00212627

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction ID: 8670764812d8aadf08e8796a52254f4cdd5569b2a8e19ee2ddc8472891ad39d6
Opcode Fuzzy Hash: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction Fuzzy Hash: EF01D830791650BBFB1067689C8EF993F9DDF9EB11F200011F31CAE0D1C9E114548EA9

Function 00211803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00211449,?,?,00000000), ref: 0021180C
HeapAlloc.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211828
GetCurrentProcess.KERNEL32(?,00000000,?,00211449,?,?,00000000), ref: 00211830
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211843
GetCurrentProcess.KERNEL32(00211449,00000000,?,00211449,?,?,00000000), ref: 0021184B
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 0021184E
CreateThread.KERNEL32(00000000,00000000,00211874,00000000,00000000,00000000), ref: 00211868

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction ID: c8c188af9f18068410a5f04eaa3ec97e857529c2deb01aaed03dbcbf6ff2349f
Opcode Fuzzy Hash: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction Fuzzy Hash: 1301BF75241304BFE750AFA9EC4DF573BACEB8AB11F114411FA09DB191C6709810CB20

Function 0021C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C6EE
_wcslen.LIBCMT ref: 0021C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0021C7CA

Strings

0, xrefs: 0021C6AF
`L, xrefs: 0021C64B
`L, xrefs: 0021C652

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$`L$`L
API String ID: 1227352736-3429737310
Opcode ID: 636f988fb0e56579ddec0d9d8bf3358939f8cc24f53c74eae57b636a18359dc7
Instruction ID: be7275d54b28b62c908e7311b9b73ed39b6951e5f59329d9b23c6d7c99c97119
Opcode Fuzzy Hash: 636f988fb0e56579ddec0d9d8bf3358939f8cc24f53c74eae57b636a18359dc7
Instruction Fuzzy Hash: D85104796A43429BD3109F28C885BFBB7ECAFA5310F24092DF591D21D0D7B0C8A5CB52

Function 0023A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0021D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Part of subcall function 0021D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Part of subcall function 0021D4DC: CloseHandle.KERNELBASE(00000000), ref: 0021D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A16D
GetLastError.KERNEL32 ref: 0023A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0023A268
GetLastError.KERNEL32(00000000), ref: 0023A273
CloseHandle.KERNEL32(00000000), ref: 0023A2C4

Strings

SeDebugPrivilege, xrefs: 0023A18F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d3e5282b53ce95bcc04f7374c77b8ce8235fee3ccc2be415f74f5ee35ce45dc2
Instruction ID: 2911516588e583c0a413bff8867252afe475c799f748e3adc490402c93024448
Opcode Fuzzy Hash: d3e5282b53ce95bcc04f7374c77b8ce8235fee3ccc2be415f74f5ee35ce45dc2
Instruction Fuzzy Hash: 5F61B2742142429FD720DF18C494F66BBE1AF54318F18849CF8AA8B7A3C776EC55CB92

Function 00243886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00243925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0024393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00243954
_wcslen.LIBCMT ref: 00243999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002439F4

Strings

SysListView32, xrefs: 002438F7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction ID: 5fe5b5696987195ce83fcb5d9b300cb03b2008438e994d11e399c754490c2df4
Opcode Fuzzy Hash: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction Fuzzy Hash: 8941D571A10219ABEF25DF64CC49FEA7BA9EF48350F100526F958E7281D7B19DA0CB90

Function 0021C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0021C913

Strings

info, xrefs: 0021C8B4
blank, xrefs: 0021C895
question, xrefs: 0021C8CC
stop, xrefs: 0021C8E4
warning, xrefs: 0021C8FC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction ID: 6af9bd791ced0b49130d2266d41dc03ec1e1b07ee5b48597cca25cc62cfbdca2
Opcode Fuzzy Hash: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction Fuzzy Hash: 8F11F6396E9707BBA7055B549CC39EE67DCDF36364B30402BF504AB282D7B05D905268

Function 0021DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0021DE42
gethostname.WSOCK32(?,00000100), ref: 0021DE5C
gethostbyname.WSOCK32(?), ref: 0021DE69
inet_ntoa.WSOCK32(?), ref: 0021DEAB
_strcat.LIBCMT ref: 0021DEB9
WSACleanup.WSOCK32 ref: 0021DEDE

Strings

0.0.0.0, xrefs: 0021DE87

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 8d8145ddbc47da37e13f0a73c84f6249313b04b1047a969bf42c2ba939a84f36
Instruction ID: 67b7200d350a69a6b89bee2d6ce9c31e78d3c2f126fc02f3f95df33378d3a87b
Opcode Fuzzy Hash: 8d8145ddbc47da37e13f0a73c84f6249313b04b1047a969bf42c2ba939a84f36
Instruction Fuzzy Hash: 42113631914105EFDB24AF74EC4AEEE77ECDF35315F10016AF4059A191EF758AD18A50

Function 00249F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

GetSystemMetrics.USER32(0000000F), ref: 00249FC7
GetSystemMetrics.USER32(0000000F), ref: 00249FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0024A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0024A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0024A263
ShowWindow.USER32(00000003,00000000), ref: 0024A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0024A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0024A2CA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: dd46c88d77125fd3391becb2b2663074ceb4344ef79967fde5beadeb4b59f9c5
Instruction ID: 8197ca953fadc4d8f5b11db3c8446532eae1136ab6e179dc81eb884d816d74ff
Opcode Fuzzy Hash: dd46c88d77125fd3391becb2b2663074ceb4344ef79967fde5beadeb4b59f9c5
Instruction Fuzzy Hash: E1B1ED35640216EFDF18CF68C9897AE3BB2FF44701F088069EC49AF295D771AA60DB51

Function 0021ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0021ED2A
_wcslen.LIBCMT ref: 0021ED3B
_wcslen.LIBCMT ref: 0021ED79
_wcslen.LIBCMT ref: 0021EDAF
_wcslen.LIBCMT ref: 0021EDDF
_wcslen.LIBCMT ref: 0021EDEF
_wcslen.LIBCMT ref: 0021EE2B
_wcslen.LIBCMT ref: 0021EE5A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction ID: 823afe20410007e5a3742782b5d599f338cb687a311cc4aaba410fad5df793a4
Opcode Fuzzy Hash: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction Fuzzy Hash: 7D418065C1021876CB11EBB48C8AACFB7ACAF65710F508463F918E3221FB34E295C7E5

Function 001CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 001CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F454

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction ID: aa1ee2e9068f532d63faca9adaf679b4f4c36c665c30262e443408eb368cf8a4
Opcode Fuzzy Hash: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction Fuzzy Hash: 76412B35224780BBCFB89B2C998CF2A7B97AB66318F15403CF547569A1C735E882CB11

Function 00242D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00242D1B
GetDC.USER32(00000000), ref: 00242D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00242D2E
ReleaseDC.USER32(00000000,00000000), ref: 00242D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00242D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00242D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00245A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00242DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00242DE1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction ID: 8a06d5c5b4e6a0c2069fc0bed7ac5847f965522735a27d950869ab625d5b7451
Opcode Fuzzy Hash: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction Fuzzy Hash: 2E31CE76212210BFEB258F55DC8AFEB3FADEF4A711F044055FE089A291C6B58C50CBA0

Function 00215622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215637
_memcmp.LIBVCRUNTIME ref: 00215659
_memcmp.LIBVCRUNTIME ref: 00215671
_memcmp.LIBVCRUNTIME ref: 00215684
_memcmp.LIBVCRUNTIME ref: 0021569E
_memcmp.LIBVCRUNTIME ref: 002156B1
_memcmp.LIBVCRUNTIME ref: 002156C9
_memcmp.LIBVCRUNTIME ref: 002156E4

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction ID: c33331b0bcfcb911c9fb800ce9d75beb0ffe631a610018b6c9b3a28f2e426306
Opcode Fuzzy Hash: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction Fuzzy Hash: 1D21FC6167092AFBD21899118E82FFA73DDBFF2394F440062FD045A682F760ED7181E5

Function 00234FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00235007
NULL Pointer assignment, xrefs: 0023502E, 00235383

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 68c2a1413eed57fbd570ac0e74fa635128d7ed4fcc2f962ea788cdee5273debe
Instruction ID: 9d292ea1bee746d222b5a9a6ee50a44443076c3475ff17cdb0d8fc6fe9eadcb8
Opcode Fuzzy Hash: 68c2a1413eed57fbd570ac0e74fa635128d7ed4fcc2f962ea788cdee5273debe
Instruction Fuzzy Hash: 9ED1D3B1A1061A9FDF14CFA8C880FAEB7B5FF48344F148069E919AB281E771DD51CB90

Function 001F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001F17FB,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F16FB

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001F1777
__freea.LIBCMT ref: 001F17A2
__freea.LIBCMT ref: 001F17AE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction ID: 6858600090b3e485cd7630cbd67c8b57043948bd7b09b956211e8e41774dba25
Opcode Fuzzy Hash: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction Fuzzy Hash: 4991D472E0021EFADF249EB5C881AFE7BB5AF5A710F180659EA06E7150DB35DC40CB60

Function 00234523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00234648
VariantInit.OLEAUT32(?), ref: 00234749
VariantClear.OLEAUT32(?), ref: 00234753
VariantClear.OLEAUT32(?), ref: 002347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0023472C
Null Object assignment in FOR..IN loop, xrefs: 002345D8, 00234706, 002347BE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1ec43cde462f213220ae0f5cda29efa27691a10e9d5bfa6cb876cc94b0b1323c
Instruction ID: ae48cb915d76f649bec304ce7093606b37173506d9d89f7f1ecf5041abffc444
Opcode Fuzzy Hash: 1ec43cde462f213220ae0f5cda29efa27691a10e9d5bfa6cb876cc94b0b1323c
Instruction Fuzzy Hash: 4191B4B1E20215ABDF24DFA4CC45FAEBBB8EF46714F108599F505AB280D770A951CFA0

Function 00221187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0022125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00221284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0022135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00221430

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 16fd3b3c22efe05ac42267e5e9f3224a365230a2424d99b4c3233bb6a2c4f38b
Instruction ID: c55fb7394279ab455df819bcf6adef689edfae07f60555f362bb763315080f17
Opcode Fuzzy Hash: 16fd3b3c22efe05ac42267e5e9f3224a365230a2424d99b4c3233bb6a2c4f38b
Instruction Fuzzy Hash: D391D275910229AFEB00DFD8E884FBE77B5FF65314F104129E900E7291D774A961CB90

Function 001C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction ID: 58c4f06e0f5f15b1d9132009da857a83fe91c96da7fa653e96c2506d4b75d7bf
Opcode Fuzzy Hash: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction Fuzzy Hash: AC912671E00219EFCB14CFA9CC88AEEBBB8FF59320F14855AE515B7291D774A941CB60

Function 00233947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023396B
CharUpperBuffW.USER32(?,?), ref: 00233A7A
_wcslen.LIBCMT ref: 00233A8A
VariantClear.OLEAUT32(?), ref: 00233C1F

Part of subcall function 00220CDF: VariantInit.OLEAUT32(00000000), ref: 00220D1F
Part of subcall function 00220CDF: VariantCopy.OLEAUT32(?,?), ref: 00220D28
Part of subcall function 00220CDF: VariantClear.OLEAUT32(?), ref: 00220D34

Strings

Incorrect Parameter format, xrefs: 002339A6, 00233BA1
AUTOIT.ERROR, xrefs: 00233A80, 00233A85

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ce65568379898425162f89a0c9ec87f23121a81c48ae648c4adeaa0e60bdaaf2
Instruction ID: 5de5a82ea740cc031ceca79ba36ecf1f5ce91728b54c6b7dec6955fcb5ba4ef2
Opcode Fuzzy Hash: ce65568379898425162f89a0c9ec87f23121a81c48ae648c4adeaa0e60bdaaf2
Instruction Fuzzy Hash: 529169B46183059FC704DF24C48196AB7E5FF99314F14886EF88A9B351DB30EE56CB92

Function 00234BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0021000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
Part of subcall function 0021000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
Part of subcall function 0021000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
Part of subcall function 0021000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00234C51
_wcslen.LIBCMT ref: 00234D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00234DCF
CoTaskMemFree.OLE32(?), ref: 00234DDA

Strings

NULL Pointer assignment, xrefs: 00234E23, 00234E52

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction ID: 363e19c8d822627530ccfad4f52d49d13051fa99da1f5c3170327b4dd08da5dd
Opcode Fuzzy Hash: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction Fuzzy Hash: EA914AB1D1021DAFDF14EFA4D881AEEB7B8FF18304F10416AE915A7251DB70AA55CF60

Function 002420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00242183
GetMenuItemCount.USER32(00000000), ref: 002421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002421DD
_wcslen.LIBCMT ref: 00242213
GetMenuItemID.USER32(?,?), ref: 0024224D
GetSubMenu.USER32(?,?), ref: 0024225B

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002422E3

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3775d1a647dfa67f244654ba1ac467914b60dd0f5e1f7c58f8573ce4abf86837
Instruction ID: e749ba8e557948468d2f5262907c7ad444c16f64eee5dfc347bdc654e4b72e3e
Opcode Fuzzy Hash: 3775d1a647dfa67f244654ba1ac467914b60dd0f5e1f7c58f8573ce4abf86837
Instruction Fuzzy Hash: 45717D75A10205EFCB14DF69C845AAEBBF5AF88310F508499F81AEB341DB74ED458B90

Function 00247E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00EA4C10), ref: 00247F37
IsWindowEnabled.USER32(00EA4C10), ref: 00247F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0024801E
SendMessageW.USER32(00EA4C10,000000B0,?,?), ref: 00248051
IsDlgButtonChecked.USER32(?,?), ref: 00248089
GetWindowLongW.USER32(00EA4C10,000000EC), ref: 002480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002480C3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ed4bd216018ece0a461f521c0f2a097aac0e212da6336e90df88c7b91371dd19
Instruction ID: 65e8e60074e0a6d843927edd55ceb4b96b63be042ef741b3e61a510bdac0a35e
Opcode Fuzzy Hash: ed4bd216018ece0a461f521c0f2a097aac0e212da6336e90df88c7b91371dd19
Instruction Fuzzy Hash: 5871D334629205AFEB29DF54CC84FBE7BB9EF09300F15445AF966572A1CB31AC69CB10

Function 0021AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021AEF9
GetKeyboardState.USER32(?), ref: 0021AF0E
SetKeyboardState.USER32(?), ref: 0021AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0021AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0021AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0021AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0021B020

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction ID: c5fee2de9eaa67df906aa73e80b77f5bf34995608042a99289f03c62a58b5f32
Opcode Fuzzy Hash: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction Fuzzy Hash: 5851F4A0A253D23DFB374A348C45BFA7EE95B16304F088489F1D9458C2C3E9ACE9D761

Function 0021ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0021AD19
GetKeyboardState.USER32(?), ref: 0021AD2E
SetKeyboardState.USER32(?), ref: 0021AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0021ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0021ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0021AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0021AE38

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction ID: c121a3ecb978ab7890174a54ba61201d4d5d9f52f936bf5f04949b555d997510
Opcode Fuzzy Hash: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction Fuzzy Hash: 7E5106A09267D23DFB378B348C45BFA7EE85B56300F088498E0D5468C3C2A4ECE8D752

Function 001E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001F3CD6,?,?,?,?,?,?,?,?,001E5BA3,?,?,001F3CD6,?,?), ref: 001E5470
__fassign.LIBCMT ref: 001E54EB
__fassign.LIBCMT ref: 001E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001F3CD6,00000005,00000000,00000000), ref: 001E552C
WriteFile.KERNEL32(?,001F3CD6,00000000,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E554B
WriteFile.KERNEL32(?,?,00000001,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E5584

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction ID: b9f597a8a2250c69942ebaa4b2f90ec501a55f59214b8a0505d7a383a1d833e6
Opcode Fuzzy Hash: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction Fuzzy Hash: 52512A70A00A489FDB14CFA9DC85AEEBBF6EF09304F24415AF555E7291D730DA40CB60

Function 001D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001D2D53
_ValidateLocalCookies.LIBCMT ref: 001D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001D2E0C
_ValidateLocalCookies.LIBCMT ref: 001D2E61

Strings

csm, xrefs: 001D2DF6

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction ID: 4175e75fcc9922be34f4cff29ebeb81fc63b74666a99f5804897117cf304dccb
Opcode Fuzzy Hash: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction Fuzzy Hash: 6E41B434E00209EBCF14DFA8CC85A9EBBB5BF65324F148156E9246B392D731AE15CBD1

Function 002310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00231112
WSAGetLastError.WSOCK32 ref: 00231121
WSAGetLastError.WSOCK32 ref: 002311C9
closesocket.WSOCK32(00000000), ref: 002311F9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction ID: 5c7c94172720abcae1ad0857d26cc6a35dae92ad05a5af70f2eca31912b94ca0
Opcode Fuzzy Hash: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction Fuzzy Hash: 854112B5210204AFDB109F18D888BEABBE9EF45324F148059FD499B291C7B0EE51CBE0

Function 0021CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

lstrcmpiW.KERNEL32(?,?), ref: 0021CF45
MoveFileW.KERNEL32(?,?), ref: 0021CF7F
_wcslen.LIBCMT ref: 0021D005
_wcslen.LIBCMT ref: 0021D01B
SHFileOperationW.SHELL32(?), ref: 0021D061

Strings

\*.*, xrefs: 0021CFF3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b3766fdf03ddd3766a77de372c44eacdb40fdb27e923f81ee3deed1bce275aa5
Instruction ID: 232433c414e50c1468727b772a90ddb9880f271b6d0c91eaf416bd5cb1750fdd
Opcode Fuzzy Hash: b3766fdf03ddd3766a77de372c44eacdb40fdb27e923f81ee3deed1bce275aa5
Instruction Fuzzy Hash: 0F4185758552199FDF12EFA4D981ADEB7F9AF28340F1000E6E509EB141EB30AA99CF50

Function 00242DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00242E1C
GetWindowLongW.USER32(?,000000F0), ref: 00242E4F
GetWindowLongW.USER32(?,000000F0), ref: 00242E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00242EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00242EE0
GetWindowLongW.USER32(?,000000F0), ref: 00242EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00242F0B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction ID: 5a3ae2e88059d8c80ae7368d5313120fdea95d00ce96daee21aadefd7b0d9182
Opcode Fuzzy Hash: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction Fuzzy Hash: 29313438716151DFDB298F19EC88F6537E8EB8AB10F950064F9149B2B2CB71B869DB00

Function 00217726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0021778F
SysAllocString.OLEAUT32(00000000), ref: 00217792
SysAllocString.OLEAUT32(?), ref: 002177B0
SysFreeString.OLEAUT32(?), ref: 002177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002177DE
SysAllocString.OLEAUT32(?), ref: 002177EC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e0f84aa168b714645383cfe6fcf379801020cb61f384238865c9bc8be9b4427d
Instruction ID: edfac4d4feba534ca1146d3510529d99cdd6448986e78e4c6be8f0b17e22e51d
Opcode Fuzzy Hash: e0f84aa168b714645383cfe6fcf379801020cb61f384238865c9bc8be9b4427d
Instruction Fuzzy Hash: 0D21E23A61420AAFDB00EFACDC88CFBB3ECEB59760B108025F915CB190D670DC828760

Function 002177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217868
SysAllocString.OLEAUT32(00000000), ref: 0021786B
SysAllocString.OLEAUT32 ref: 0021788C
SysFreeString.OLEAUT32 ref: 00217895
StringFromGUID2.OLE32(?,?,00000028), ref: 002178AF
SysAllocString.OLEAUT32(?), ref: 002178BD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 64373589e885e60576b389e2ca3bd8dcbde63918007ad8f02d4495207aa9df98
Instruction ID: a14924b740362468d2c340f3977d796eb7c6610bfdb67ebb8a879337757837b0
Opcode Fuzzy Hash: 64373589e885e60576b389e2ca3bd8dcbde63918007ad8f02d4495207aa9df98
Instruction Fuzzy Hash: 1C21DE35619209AF9B10AFA8DC8CDEA73FCEB597207218025B904CB2A1D670DC81DB74

Function 002204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0022052E

Strings

nul, xrefs: 00220567

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction ID: bf1be9295e906926bc4e6a262f56d078998c8b848f71db2b91c7c3f467b4e7e7
Opcode Fuzzy Hash: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction Fuzzy Hash: C221A574510316BBCB209FA9EC84A9977F4BF45720F604A18F8A1D61E1D7B09970CF60

Function 002205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00220601

Strings

nul, xrefs: 00220639

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction ID: 1b7d4830f0f277617f1313a4cb7e9e9de68af20fab8ab10d496b3d7cb5f48ed8
Opcode Fuzzy Hash: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction Fuzzy Hash: 41216F75510316BFDB209FA9EC84AA577E8BF55720F200619FCA1D71E5D7B09970CB10

Function 002440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00244112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0024411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0024412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00244139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00244145

Strings

Msctls_Progress32, xrefs: 002440E3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction ID: 238781490b7a00a764b94a63951ea47062a41db4e3bdc219d0846a23c3ceface
Opcode Fuzzy Hash: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction Fuzzy Hash: B71190B215021ABEEF119E64CC86EE77F5DEF19798F014111BA18A6090C7729C219BA4

Function 001ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001ED7A3: _free.LIBCMT ref: 001ED7CC

_free.LIBCMT ref: 001ED82D

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED838
_free.LIBCMT ref: 001ED843
_free.LIBCMT ref: 001ED897
_free.LIBCMT ref: 001ED8A2
_free.LIBCMT ref: 001ED8AD
_free.LIBCMT ref: 001ED8B8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8ed27231ec7e722a7d8479e1cad3e185b7473500f94eba374ce8d7ecf1046ff6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 32113A71940F98AAD621BFF2DC47FCF7BDCAF20704F400825F699A6092DB79B5058662

Function 0021DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0021DA74
LoadStringW.USER32(00000000), ref: 0021DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0021DA91
LoadStringW.USER32(00000000), ref: 0021DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0021DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0021DAB9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction ID: 04add701728d99dc717a2f4745a73d20eddac346c2162ca584bdf3b348da78ce
Opcode Fuzzy Hash: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction Fuzzy Hash: B60186F6910208BFE751DBA8ED8DEE773ACEB09305F504492B74AE2041EA749E844F74

Function 0022096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E9E2B0,00E9E2B0), ref: 0022097B
EnterCriticalSection.KERNEL32(00E9E290,00000000), ref: 0022098D
TerminateThread.KERNEL32(?,000001F6), ref: 0022099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002209A9
CloseHandle.KERNEL32(?), ref: 002209B8
InterlockedExchange.KERNEL32(00E9E2B0,000001F6), ref: 002209C8
LeaveCriticalSection.KERNEL32(00E9E290), ref: 002209CF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction ID: f18ab515642c7f39472a7638cae8301935ad8a4fd8ddeb35ee5c57b18d049d09
Opcode Fuzzy Hash: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction Fuzzy Hash: A9F0CD35543912BBD7916F98FE8DAD67A25BF06B02F501025F502508A1C7B5A475CF90

Function 00231C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00231DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00231DE1
WSAGetLastError.WSOCK32 ref: 00231DF2
htons.WSOCK32(?,?,?,?,?), ref: 00231EDB
inet_ntoa.WSOCK32(?), ref: 00231E8C

Part of subcall function 002139E8: _strlen.LIBCMT ref: 002139F2

Part of subcall function 00233224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0022EC0C), ref: 00233240

_strlen.LIBCMT ref: 00231F35

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 896403e899bab87986f29287762c9293a97ff691c26e0f6ba4fa5cd2e4e23a16
Instruction ID: f17e78e46d46759eb0e4f1656219635062ff9b02c46a68183ebc09c3a294570f
Opcode Fuzzy Hash: 896403e899bab87986f29287762c9293a97ff691c26e0f6ba4fa5cd2e4e23a16
Instruction Fuzzy Hash: 73B1CD70214301AFC324DF24C885F6A7BE5AFA5318F64894CF45A5B2E2CB71ED52CB92

Function 001B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001B5D30
GetWindowRect.USER32(?,?), ref: 001B5D71
ScreenToClient.USER32(?,?), ref: 001B5D99
GetClientRect.USER32(?,?), ref: 001B5ED7
GetWindowRect.USER32(?,?), ref: 001B5EF8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction ID: fb6d6125648dcae5552f86f314635f4aa7ebffe2da73a399a8c538b850c24bba
Opcode Fuzzy Hash: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction Fuzzy Hash: B5B16838A00A4ADBDB14CFA9C4847FAB7F2FF48310F14851AE9A9D7250DB34EA51DB54

Function 001E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E00D6
__allrem.LIBCMT ref: 001E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E010B
__allrem.LIBCMT ref: 001E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E0140

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: cfd73dd3c279bf2736ba7d221d6cc9981b9900ec98d3f5189425b45099d4514f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 27812872A00B46ABE7259F6ACC81B6F73E8AF55364F24413EF511DA381E7B0DA418790

Function 001E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001D82D9,001D82D9,?,?,?,001E644F,00000001,00000001,8BE85006), ref: 001E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001E644F,00000001,00000001,8BE85006,?,?,?), ref: 001E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001E63D8
__freea.LIBCMT ref: 001E63E5

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

__freea.LIBCMT ref: 001E63EE
__freea.LIBCMT ref: 001E6413

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction ID: 4d04fcf423613cc46e0d20c8fe8f0e3666d4edb44c2bc43367ca2990d577179d
Opcode Fuzzy Hash: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction Fuzzy Hash: 93510472A00A96ABDB258F66CC81EBF77A9EF64790F654229FD09D7180DB34DC40C660

Function 0023BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BD25
RegCloseKey.ADVAPI32(00000000), ref: 0023BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0023BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0023BDF3
RegCloseKey.ADVAPI32(?), ref: 0023BDFF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1cb51b942ad69bd7b7132e6dd48fb1b66da8dae343a3267abe52cfbc9285f72c
Instruction ID: 660a798fae54719a747e4bde14847a565c96553accfb87f159fad1233c80567c
Opcode Fuzzy Hash: 1cb51b942ad69bd7b7132e6dd48fb1b66da8dae343a3267abe52cfbc9285f72c
Instruction Fuzzy Hash: 4F81D070218241EFC715DF24C885E6ABBE5FF84308F14895DF55A8B2A2CB32ED15CB92

Function 0020F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0020F7B9
SysAllocString.OLEAUT32(00000001), ref: 0020F860
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F889
VariantClear.OLEAUT32(0020FA64), ref: 0020F8AD
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F8B1
VariantClear.OLEAUT32(?), ref: 0020F8BB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 80626f2af201cf64128b5d0b4241f40cb7459edcbc998e1ca589053909fabd19
Instruction ID: 6b435c108157580d1568ffafaafd772b033988e100d1382c156709f7268791a0
Opcode Fuzzy Hash: 80626f2af201cf64128b5d0b4241f40cb7459edcbc998e1ca589053909fabd19
Instruction Fuzzy Hash: C0512A31560304BACFB0AF65D985B69B3A4EF55310F20946BE902DF6D3D7B08C50CB96

Function 0022910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002294E5
_wcslen.LIBCMT ref: 00229506
_wcslen.LIBCMT ref: 0022952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00229585

Strings

X, xrefs: 00229412

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 148ea5a503869233493522414fe1da2e3e49673739e40a1eb81ad62182e15503
Instruction ID: 51f9f9e131b289c74845620916c33f0bfd0402b9d3fbf7d73be09d9fe3fc495c
Opcode Fuzzy Hash: 148ea5a503869233493522414fe1da2e3e49673739e40a1eb81ad62182e15503
Instruction Fuzzy Hash: 1DE1E330618311DFD724EF64D881BAAB7E4BF94310F14896DF8899B2A2DB30DD55CB92

Function 001C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

BeginPaint.USER32(?,?,?), ref: 001C9241
GetWindowRect.USER32(?,?), ref: 001C92A5
ScreenToClient.USER32(?,?), ref: 001C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001C92D3
EndPaint.USER32(?,?,?,?,?), ref: 001C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002071EA

Part of subcall function 001C9339: BeginPath.GDI32(00000000), ref: 001C9357

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction ID: 233d802e3ee455021b5ed2a73bf351360e73edbb5babab67895bc1463428055f
Opcode Fuzzy Hash: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction Fuzzy Hash: B8419D74105341AFD710DF24DC88FAA7BB8FF66720F140669F998862E2C7319855DB61

Function 002207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0022080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00220847
EnterCriticalSection.KERNEL32(?), ref: 00220863
LeaveCriticalSection.KERNEL32(?), ref: 002208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00220921

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ece7556b43cbb532c1d9bea3a14914f200f982f2484c51d51849733535d2e9aa
Instruction ID: ae69d37ad4f24c2f5ad246b4be7014148fc6ea06178f24fec61e93f73f1253fe
Opcode Fuzzy Hash: ece7556b43cbb532c1d9bea3a14914f200f982f2484c51d51849733535d2e9aa
Instruction Fuzzy Hash: 7D416A71900205EFDF14EF94EC85AAA77B9FF14700F1440A9ED049A297DB70DE61DBA4

Function 002481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0020F3AB,00000000,?,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0024824C
EnableWindow.USER32(?,00000000), ref: 00248272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002482D1
ShowWindow.USER32(?,00000004), ref: 002482E5
EnableWindow.USER32(?,00000001), ref: 0024830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0024832F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction ID: abbe6a6e2b2d0cf9ff950ac0257b715e174685c91bf52a0e781adec3476525dd
Opcode Fuzzy Hash: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction Fuzzy Hash: 0741C834622645AFDB1ACF14D899BE87BE4FB46714F1841A9E9084F2B2CB71AC61CF50

Function 00214C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00214C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00214CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00214CEA
_wcslen.LIBCMT ref: 00214D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00214D10
_wcsstr.LIBVCRUNTIME ref: 00214D1A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c7677aad11373bbe8406722eb02146286c10fc476126fe2712385c90ed91c236
Instruction ID: 76f6e494d06290726321cb2770bb6f8ec1d75b24a40c26ea5e86f7851527672b
Opcode Fuzzy Hash: c7677aad11373bbe8406722eb02146286c10fc476126fe2712385c90ed91c236
Instruction Fuzzy Hash: 5C2149312152017BEB196F39BC09EBB7BDCDF65710F10803EF809CA192EB60CC5182A0

Function 0022581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

_wcslen.LIBCMT ref: 0022587B
CoInitialize.OLE32(00000000), ref: 00225995
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 002259AE
CoUninitialize.OLE32 ref: 002259CC

Strings

.lnk, xrefs: 00225876, 002258C1, 00225985

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3c4d3afc14aaba5a63694e004908ea310e5a538c8ea4511b8f3df7d65839496a
Instruction ID: fd8a8f52b3440fb93d9035f01a7bbabf0587b23b5aea4780f42cc9a5e4f216c6
Opcode Fuzzy Hash: 3c4d3afc14aaba5a63694e004908ea310e5a538c8ea4511b8f3df7d65839496a
Instruction Fuzzy Hash: 2DD18370618721AFC714DF64D484A6ABBE1FF99314F10885DF88A9B361DB31EC45CB92

Function 0021175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
Part of subcall function 00210FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
Part of subcall function 00210FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
Part of subcall function 00210FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

GetLengthSid.ADVAPI32(?,00000000,00211335), ref: 002117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002117BA
HeapAlloc.KERNEL32(00000000), ref: 002117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002117DA
GetProcessHeap.KERNEL32(00000000,00000000,00211335), ref: 002117EE
HeapFree.KERNEL32(00000000), ref: 002117F5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction ID: b02d07c674b5135422eaad00e64df2d5502bd45dd6c02bff9b689e5661329fd2
Opcode Fuzzy Hash: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction Fuzzy Hash: FB11EE35522606FFDB109FA8DC49BEEBBE8EB52315F204028F5459B290C731A9A1CB60

Function 002114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00211506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00211515
CloseHandle.KERNEL32(00000004), ref: 00211520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0021154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00211563

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction ID: 003ccc43e8bf77d83f92c99ef560b753796e438788c9f458d4925a58d2234c93
Opcode Fuzzy Hash: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction Fuzzy Hash: 6511597660220AABDF119F98ED49BDE7BA9EF49B04F144014FA05A2060C3758EA0DB60

Function 001D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001D3379,001D2FE5), ref: 001D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001D33B7
SetLastError.KERNEL32(00000000,?,001D3379,001D2FE5), ref: 001D3409

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a558b995b7e578d6a4f6b420fb53872e823209da72b0216d6bf6b2023743002d
Instruction ID: fd92bf0e0fe0f376183485a6d912cad9fd383cedc644114c14274c1dfd79ec4e
Opcode Fuzzy Hash: a558b995b7e578d6a4f6b420fb53872e823209da72b0216d6bf6b2023743002d
Instruction Fuzzy Hash: 8E014733209321BFAA292BB97C895272A94FB25379330022FF430803F0EF218E019186

Function 001E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001E5686,001F3CD6,?,00000000,?,001E5B6A,?,?,?,?,?,001DE6D1,?,00278A48), ref: 001E2D78
_free.LIBCMT ref: 001E2DAB
_free.LIBCMT ref: 001E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DEC
_abort.LIBCMT ref: 001E2DF2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction ID: e7d12a921ced41967c90f203bd4a09aa738645868558f8f3c4b373cb25d0372d
Opcode Fuzzy Hash: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction Fuzzy Hash: FCF02D35505D8027C25637BB7C2EE1E165DBFD27A4F354028F629D31D2EF3488014120

Function 00248A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00248A4E
LineTo.GDI32(?,00000003,00000000), ref: 00248A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00248A70
LineTo.GDI32(?,00000000,00000003), ref: 00248A80
EndPath.GDI32(?), ref: 00248A90
StrokePath.GDI32(?), ref: 00248AA0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction ID: 70b34d3b688d63a59165080b8d25de603c5ab0ad3defcf5d63ada91d91e89531
Opcode Fuzzy Hash: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction Fuzzy Hash: 3D11097A001159FFDB129F94EC88EAA7F6CEB09350F148012FA199A1A1C7719D65DBA0

Function 002151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00215218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00215229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00215230
ReleaseDC.USER32(00000000,00000000), ref: 00215238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0021524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00215261

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction ID: d690895251d068554ea4edc9a6a088edb44703a545067fa094f5296702ea860c
Opcode Fuzzy Hash: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction Fuzzy Hash: 0A018F75A01719BBEB109FA99C49A4EBFB8EB89351F144065FE08A7291D6709C10CFA0

Function 001B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction ID: 386572366797130e2ada894bc9a7107854f0fbf59b095bea6f424ecbaf4d79b0
Opcode Fuzzy Hash: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction Fuzzy Hash: 120167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CFE5

Function 0021EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0021EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0021EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0021EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB75

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction ID: b8dd0ff62fc04eb7728950c06fcf76fa5212fa5769377f67a01a3d2691a903c0
Opcode Fuzzy Hash: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction Fuzzy Hash: 02F09ABA202158BBE7205B66AC0EEEF3E7CEFCBF11F104158FA01D1090D7A01A01C6B4

Function 00207439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00207452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00207469
GetWindowDC.USER32(?), ref: 00207475
GetPixel.GDI32(00000000,?,?), ref: 00207484
ReleaseDC.USER32(?,00000000), ref: 00207496
GetSysColor.USER32(00000005), ref: 002074B0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction ID: c4b6e59c6f4f533afe0475d51210b8d13f85994a461cd84e85031ddd9d49caa6
Opcode Fuzzy Hash: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction Fuzzy Hash: F9014B35811215EFDB915F68EC0CBAE7BB9FB05311F614164F915A21E2CB312E51AB50

Function 00211874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0021187F
UnloadUserProfile.USERENV(?,?), ref: 0021188B
CloseHandle.KERNEL32(?), ref: 00211894
CloseHandle.KERNEL32(?), ref: 0021189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002118A5
HeapFree.KERNEL32(00000000), ref: 002118AC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction ID: a91b97487984a05ceb0f1ad31513717014b5c4686b16f2db27057e573c997ce3
Opcode Fuzzy Hash: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction Fuzzy Hash: 20E0E53A206501BBDB416FA9FD0C90ABF39FF4AB22B208220F22981070CB329420DF50

Function 001BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BBEB3

Strings

D%(D%(, xrefs: 001BBCA5
D%(, xrefs: 001BBDED, 001BBD91, 001BBD1B
D%(, xrefs: 001BBCA2
D%(, xrefs: 001BBE9A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%($D%($D%($D%(D%(
API String ID: 1385522511-2826432073
Opcode ID: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction ID: dc6545fd7101b64a7e5b7646d02a2692eda5570ab9fc07475945931f28ef4132
Opcode Fuzzy Hash: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction Fuzzy Hash: 08915975A0820ACFCB18CF99C0D06EABBF1FF58314F64816AD945AB750D7B5E981CB90

Function 00237B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00237BFB

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Strings

+T , xrefs: 00237E2E
G, xrefs: 00237C7F
Variable must be of type 'Object'., xrefs: 00237C3A
5, xrefs: 00237C78

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T $5$G$Variable must be of type 'Object'.
API String ID: 535116098-4255551972
Opcode ID: 4cbef1bb8936b2489b40a2cab8ee9d8927b60986ab36485daed6cffd2a3bf946
Instruction ID: 8d5cce7e34387add40b91ad6e63fa278ef3bc2e2aafe26cd2767739e8781f0d5
Opcode Fuzzy Hash: 4cbef1bb8936b2489b40a2cab8ee9d8927b60986ab36485daed6cffd2a3bf946
Instruction Fuzzy Hash: 52918DB4A24209EFCF24EF94D891DADB7B1FF49300F508059F8069B292DB71AE65CB51

Function 0023AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0023AEA3

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetProcessId.KERNEL32(00000000), ref: 0023AF38
CloseHandle.KERNEL32(00000000), ref: 0023AF67

Strings

<, xrefs: 0023AE6B
@, xrefs: 0023AE72

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: fcc7b82cfb1967097f630e6ab91ac446d9cd6673c0b902bdaf64f5c64fc34707
Instruction ID: 82d97616ed8071b0cf471b94b961342874a68d330dc709b6ebc64b9e4fac96d1
Opcode Fuzzy Hash: fcc7b82cfb1967097f630e6ab91ac446d9cd6673c0b902bdaf64f5c64fc34707
Instruction Fuzzy Hash: CC71ACB4A00219DFCB14DF58D485A9EBBF0FF18314F0484A9E856AB7A2CB75ED41CB91

Function 0021719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00217206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0021723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0021724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002172CF

Strings

DllGetClassObject, xrefs: 00217242

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction ID: def1771920c2a02eb99446ed9dc8104dbeece9b00fdd7e9f91a2c89da9812030
Opcode Fuzzy Hash: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction Fuzzy Hash: 5B418171614204EFDB15CF54C884ADA7BF9EF99310F2480A9BD099F20AD7B1D995CBA0

Function 0021C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0021C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0021C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00281990,`L), ref: 0021C395

Strings

0, xrefs: 0021C2DF
`L, xrefs: 0021C28D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$`L
API String ID: 135850232-2515617567
Opcode ID: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction ID: 4d8dac09e9623c5bb6c77b56f80924b90099c10c4c95f70afe47d543afd7a170
Opcode Fuzzy Hash: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction Fuzzy Hash: 004105352543029FD720DF24D884B9ABBE4BFA5310F20866EF861D72D1C730E895CB52

Function 00243D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00243E35
IsMenu.USER32(?), ref: 00243E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00243E92
DrawMenuBar.USER32 ref: 00243EA5

Strings

0, xrefs: 00243D89

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 83fb2974eba1d63c449e79e8bd8aab8f060500b7aab0bed5470053a5f3d3e58a
Instruction ID: f8e04d51fd3426134f357150403b7f4af14d2d0c3363a38411767dc2567afc41
Opcode Fuzzy Hash: 83fb2974eba1d63c449e79e8bd8aab8f060500b7aab0bed5470053a5f3d3e58a
Instruction Fuzzy Hash: 52416B75A2220AEFDB14DF54E884EEABBB9FF49350F044029F915A7250D730AE65CF50

Function 00211DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00211E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00211E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00211EA9

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Strings

ListBox, xrefs: 00211E25
ComboBox, xrefs: 00211DF0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 58497cc0390697dd956c4bd7c0b1dfc59d5e8ad387b9078ee7eb81cd3e49722b
Instruction ID: 7acabe07080e35f77c4572cbf96e793b01f4d98bd7d0b88c5f02fd96ab7eb855
Opcode Fuzzy Hash: 58497cc0390697dd956c4bd7c0b1dfc59d5e8ad387b9078ee7eb81cd3e49722b
Instruction Fuzzy Hash: 25216871A10108BFDB18AFA4DC45CFFB7F9DF72350B108119F926A71E1DB74496A9A20

Function 00242F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00242F8D
LoadLibraryW.KERNEL32(?), ref: 00242F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00242FA9
DestroyWindow.USER32(?), ref: 00242FB1

Strings

SysAnimate32, xrefs: 00242F68

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction ID: efa7150cad419fc60afeec0259e1d280738e646da4b02efdfc2bdd326761acb1
Opcode Fuzzy Hash: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction Fuzzy Hash: DD21F071220206EBEB144F66DC84EBB37BDEB59364F924218F910D6490C371DC699760

Function 001D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002), ref: 001D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000), ref: 001D4DC3

Strings

mscoree.dll, xrefs: 001D4D86
CorExitProcess, xrefs: 001D4D98

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction ID: 2d2d5dc15d4ce2b25098db4d5897aedaa1165d51df6ff8629cdea991a8027e9a
Opcode Fuzzy Hash: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction Fuzzy Hash: 22F0C234A01208BBDB159F94EC4DBADBFB5EF09712F1000A9FC09A2260CB305E40CF94

Function 0020D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0020D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0020D3BF
FreeLibrary.KERNEL32(00000000), ref: 0020D3E5

Strings

X64, xrefs: 0020D2A8
GetSystemWow64DirectoryW, xrefs: 0020D3B9

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction ID: d7c53018a172517d75603c45464b314ab198bb219e8147094b1b60c70f17e64c
Opcode Fuzzy Hash: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction Fuzzy Hash: 9EF05C75837712EFD3741B544C08A5977149F11B01B608498F809E10C7CB60CD708F92

Function 001B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

Strings

kernel32.dll, xrefs: 001B4E94
Wow64DisableWow64FsRedirection, xrefs: 001B4EA8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction ID: b7353fa0f44b724795551e306449c710e54f4439f6673d6d59ca9229edd6b4aa
Opcode Fuzzy Hash: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction Fuzzy Hash: D4E0CD39A035225BD271172D7C1CB9F6554AF83F627154115FC0CD2102DB64CD0185B5

Function 001B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Strings

kernel32.dll, xrefs: 001B4E5B
Wow64RevertWow64FsRedirection, xrefs: 001B4E6E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction ID: 2453c485c2ea7e377950fcb2ecc703875223454d6fefe298852b7e9528d980f0
Opcode Fuzzy Hash: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction Fuzzy Hash: 28D0C239503A215766621B287C0CDCB6B18AF87B113158110F80CA2111CF24CD01C5E0

Function 00222947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222C05
DeleteFileW.KERNEL32(?), ref: 00222C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00222C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CC0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 84c034e067998025f5c29374b42573668651d7cc11f525da18a017a671a6b345
Instruction ID: 482107fc7244db54da9f89fd4397a97cb9ec47ca950ce7a04bc0c1cafed37085
Opcode Fuzzy Hash: 84c034e067998025f5c29374b42573668651d7cc11f525da18a017a671a6b345
Instruction Fuzzy Hash: 4AB16D72910129BBDF21EFE4DC85EDEB7BDEF19300F1040A6F509A6241EB719A588F61

Function 0023A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0023A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0023A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0023A468
CloseHandle.KERNEL32(?), ref: 0023A63D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 95f03030b3e16867489030ab36bfa7671daa0eedea34b759219f9363c6acc55b
Instruction ID: 3419bba67904b5b7e2177cb9f7e644e6aabf3ff7bfc2bedc4fcbbe2af19b7d7d
Opcode Fuzzy Hash: 95f03030b3e16867489030ab36bfa7671daa0eedea34b759219f9363c6acc55b
Instruction Fuzzy Hash: 7FA1C2B16043019FD720DF28D886F2AB7E5AF94714F14885CF59A9B3D2DBB0EC408B92

Function 001EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00253700), ref: 001EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0028121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00281270,000000FF,?,0000003F,00000000,?), ref: 001EBC36
_free.LIBCMT ref: 001EBB7F

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001EBD4B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 7961a09b339fc086a0721a8dcd203551972d67dac61961165ead64764f3809ba
Instruction ID: cd7deac7d500747492aca34b8a756fab330c31686112844fb9e3e2c945d88f19
Opcode Fuzzy Hash: 7961a09b339fc086a0721a8dcd203551972d67dac61961165ead64764f3809ba
Instruction Fuzzy Hash: F0514975808659AFCB10EF76ACC59AFB7BCFF44320F20026AE414D3195EB309E418B90

Function 0021E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

lstrcmpiW.KERNEL32(?,?), ref: 0021E473
MoveFileW.KERNEL32(?,?), ref: 0021E4AC
_wcslen.LIBCMT ref: 0021E5EB
_wcslen.LIBCMT ref: 0021E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0021E650

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fd069f089fce8edff063ba60d9569224cc942dd4cb27deb02485cfb23fbb153f
Instruction ID: 56f5b47b4afa2bfb830ecfcd1975f520c6ad67f13bf771eb8510925642d2c90e
Opcode Fuzzy Hash: fd069f089fce8edff063ba60d9569224cc942dd4cb27deb02485cfb23fbb153f
Instruction Fuzzy Hash: AA5183B24083859BCB24DF94DC819DB73ECAFA5340F10491EFA89D3151EF74A5988B66

Function 0023B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0023BB63
RegCloseKey.ADVAPI32(?,?), ref: 0023BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0023BBB3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ed6b3f3c8cc9384cd6c7f3de365d7248c52492b210142836d9a4fe08e78d03b1
Instruction ID: c2c0509aeb9cf67f1958912b1829da16a3e9b3939a4f6b218c7ab6ca4e3d82a2
Opcode Fuzzy Hash: ed6b3f3c8cc9384cd6c7f3de365d7248c52492b210142836d9a4fe08e78d03b1
Instruction Fuzzy Hash: 5F61C071218201AFC315DF24C490E6ABBE5FF84308F54899DF5998B2A2CB31ED46CB92

Function 00218BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00218BCD
VariantClear.OLEAUT32 ref: 00218C3E
VariantClear.OLEAUT32 ref: 00218C9D
VariantClear.OLEAUT32(?), ref: 00218D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00218D3B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction ID: 28aa18d3cd409f9fb8542e15e456d3e82786bef9c9e04d638d67f990195e9d98
Opcode Fuzzy Hash: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction Fuzzy Hash: D3518AB5A10619EFCB14CF68D884AAAB7F8FF99310B118569F905DB350E730E911CF90

Function 00228AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00228BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00228BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00228C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00228C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00228C5F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: df303f6e328a93b7dbab9c706a35218584ff49855753eb220523464edb93a178
Instruction ID: 60efa0e5530be04df03619a7dcb9f099fa1ce4e6626c16b3865edeea55b19326
Opcode Fuzzy Hash: df303f6e328a93b7dbab9c706a35218584ff49855753eb220523464edb93a178
Instruction Fuzzy Hash: DA516C35A00215AFCB15DF65D881EADBBF5FF59314F088059E849AB3A2CB31ED51CBA0

Function 00238EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00238F40
GetProcAddress.KERNEL32(00000000,?), ref: 00238FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00238FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00239032
FreeLibrary.KERNEL32(00000000), ref: 00239052

Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00221043,?,7644E610), ref: 001CF6E6
Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0020FA64,00000000,00000000,?,?,00221043,?,7644E610,?,0020FA64), ref: 001CF70D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction ID: 6dcf4cf17a6af691b376cd857b4262b21bbfa891a80e45b9ac334a3bc24fd098
Opcode Fuzzy Hash: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction Fuzzy Hash: 08514874605205DFCB14DF68C4848ADBBB1FF59314F1480A8E80A9B762DB71ED86CB90

Function 00246B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00246C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00246C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00246C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0022AB79,00000000,00000000), ref: 00246C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00246CC7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction ID: b27398e79ffef281ef291057ee7a3f9d14a96311514f419e21e6635f72edbbb5
Opcode Fuzzy Hash: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction Fuzzy Hash: 2141D735A24105AFD72CCF68DC9CFA97BA9EB0B350F150269F895A72E0C371ED61CA41

Function 001E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001E20C3
_free.LIBCMT ref: 001E20E3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction ID: 1398f736ee460d196fde8d5a16a67ad3d9511ebfb412636026f713ba9fe2974f
Opcode Fuzzy Hash: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction Fuzzy Hash: 0B41E232A006009FCB24DF79C891A9DB3E9EF99314F26456DE515EB392D731EE01CB80

Function 001C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C9141
ScreenToClient.USER32(00000000,?), ref: 001C915E
GetAsyncKeyState.USER32(00000001), ref: 001C9183
GetAsyncKeyState.USER32(00000002), ref: 001C919D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction ID: a82aaab5a1738aaa6be66b2988d291a308b19cb4fcf135b65006266d6a313bc6
Opcode Fuzzy Hash: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction Fuzzy Hash: 34415131A0860BEBDF199F64C849BEEF775FB15330F244219E429A22D1C770A964CF91

Function 00223874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00223922
TranslateMessage.USER32(?), ref: 0022394B
DispatchMessageW.USER32(?), ref: 00223955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction ID: b640538b95479d0cd4dafa945cb79b27e8ca1de7937e175c5f43caca1857be78
Opcode Fuzzy Hash: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction Fuzzy Hash: 4131B574925362FEEB25CFB4B84DBB637A8AB06300F140569E452961E0E3FC96E5CB11

Function 0022CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0022CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFF2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9f9b5ce60adacbd117546839224b0703bd154fadac3f0e50375c20a4ed9a983e
Instruction ID: 4c7ddc64ac2ef28e9cd67fd59923f20faf046258c7addf168ca538d40a42d2e9
Opcode Fuzzy Hash: 9f9b5ce60adacbd117546839224b0703bd154fadac3f0e50375c20a4ed9a983e
Instruction Fuzzy Hash: 95318B71510216FFDB20DFE9E984AAEBBF9EB14350B20402EF506D2550DB70EE519B60

Function 00211901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00211915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002119E2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction ID: 0f0baf0fc577348baf8124a22b25f203852d8a95d44c40a14f06082e2a3631f0
Opcode Fuzzy Hash: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction Fuzzy Hash: BB31E27191021AEFCB04CFACDD9DADE3BB5EB55314F108225FA25A72D0C37099A4CB90

Function 00245706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00245745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0024579D
_wcslen.LIBCMT ref: 002457AF
_wcslen.LIBCMT ref: 002457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction ID: 445eb5753e8f4233906373572e1617a56e3be470f31ea7f5fac2e15771077f16
Opcode Fuzzy Hash: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction Fuzzy Hash: E721D5749246289BDB248F64CC85AEDB7BCFF05324F108216F969EA1C1D7708995CF50

Function 00230930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00230951
GetForegroundWindow.USER32 ref: 00230968
GetDC.USER32(00000000), ref: 002309A4
GetPixel.GDI32(00000000,?,00000003), ref: 002309B0
ReleaseDC.USER32(00000000,00000003), ref: 002309E8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction ID: 2d47ddb32deea60f46b26b4bcd5508c6cf43aca1a71f4c3fe69d509fdd6a062d
Opcode Fuzzy Hash: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction Fuzzy Hash: 9A21A479600214AFD714EFA8E888AAEB7F9EF45700F158068F84A97762CB70AD04CB50

Function 001ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001ECDE9

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001ECE0F
_free.LIBCMT ref: 001ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001ECE31

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction ID: 0e532a76624708e26e67a26bd105dbb1c91e49b34bd2374f9b45c4535822bd0d
Opcode Fuzzy Hash: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction Fuzzy Hash: 2D018476602A957F23251ABB7C8DD7F6D6DEEC7FA13250129F909D7201EB618D0281F0

Function 001C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
SelectObject.GDI32(?,00000000), ref: 001C96A2
BeginPath.GDI32(?), ref: 001C96B9
SelectObject.GDI32(?,00000000), ref: 001C96E2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction ID: 8daa4436f9598f4b58d808128f1e387266f0b38a6a05d266d7b59d8b9c00e34a
Opcode Fuzzy Hash: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction Fuzzy Hash: 26218E38803355EBDB119F68FC0CBA93BA8BB21325F20061AF414A61F1D37098A2CF94

Function 00215711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215726
_memcmp.LIBVCRUNTIME ref: 00215744
_memcmp.LIBVCRUNTIME ref: 00215757
_memcmp.LIBVCRUNTIME ref: 0021576F
_memcmp.LIBVCRUNTIME ref: 00215787

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction ID: c4c59fe808cfe758d9b634dd227e719fa32c7bafac43d136f0ea561b4337e740
Opcode Fuzzy Hash: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction Fuzzy Hash: 9C0196656A1615FAD24899109E83FFBB3DDABB63A4B004062FD049A281F760ED7186A0

Function 001E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6), ref: 001E2DFD
_free.LIBCMT ref: 001E2E32
_free.LIBCMT ref: 001E2E59
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E66
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E6F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction ID: 650fc22bf56aa1f4bd8df5e5eda42148907c1e0f01bf8f749b778eb2fcc2b1ac
Opcode Fuzzy Hash: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction Fuzzy Hash: A5012836206EA067C626677B7C5ED2F2A5DABE27B5B324038F425A32D3EF748C014120

Function 0021000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210070

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction ID: 4e18cd1c2a4099d6d95a7e18212b92ec380a4250c2ab430665e0b7ef69813d9a
Opcode Fuzzy Hash: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction Fuzzy Hash: 3B01F27A611214BFDB114F68EC88BEA7AEDEF58791F204024F801D2210E7B1DED08BA0

Function 0021E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0021E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0021E9A5
Sleep.KERNEL32(00000000), ref: 0021E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0021E9B7
Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction ID: 2ebaecd07f716fab53f0e78d4bf60600a72ef6aa35895f6ba68015c5ac31151d
Opcode Fuzzy Hash: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction Fuzzy Hash: 9D015B35C1252DDBCF409FE8EC4DAEDBBB8BB19700F110556E906B2140DB7095A087A2

Function 002110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction ID: 8afbd939a2b9012f8f065d2ff5f5249b651c220fe20737bbf4ee8d6b17368ed9
Opcode Fuzzy Hash: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction Fuzzy Hash: 4D018179101605BFDB514FA9EC4DEAA7FAEEF86364B200424FA49C3360DB31DC508E60

Function 00210FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction ID: 2852ec81b4c5426b3a5b76f610cf0bd321cb4e936eb43d9a804080a8b7855944
Opcode Fuzzy Hash: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction Fuzzy Hash: ECF06239602311EBD7215FA8EC4DF963FADEF8A761F204414FE49C7251CA70DC908A60

Function 00211014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction ID: 11a56e02865507b9db3e652d26dc9402b515fed783d271c10546e564c8373468
Opcode Fuzzy Hash: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction Fuzzy Hash: 47F06239602311EBD7215FA9EC4DF963FADEF8A761F200414FE49C7250CA70D890CA60

Function 0022030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220324
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220331
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022033E
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022034B
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220358
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220365

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction ID: 2f96db6bd507077138163f383ecd8a33bae45bdfd25766a8a0d2e390f9821aa8
Opcode Fuzzy Hash: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction Fuzzy Hash: 3001A272811B26AFC730AFA6E8C0416FBF5BF503153158A7FD19652932C3B1A964CF80

Function 001ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001ED752

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED764
_free.LIBCMT ref: 001ED776
_free.LIBCMT ref: 001ED788
_free.LIBCMT ref: 001ED79A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction ID: cc7878053bd095be1262853dcdecf9e983e44a5cd96d0877d45de549a46b7283
Opcode Fuzzy Hash: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction Fuzzy Hash: 94F09632900A98AB8625EB76F9C7C1E77DDBB04318BA51C09F04CE7502C734FCC08661

Function 00215C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00215C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00215C6F
MessageBeep.USER32(00000000), ref: 00215C87
KillTimer.USER32(?,0000040A), ref: 00215CA3
EndDialog.USER32(?,00000001), ref: 00215CBD

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction ID: afad14b6eb0b356ac206a1ab19b6905a75fa97f178230950ca6756eec598fdb7
Opcode Fuzzy Hash: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction Fuzzy Hash: A401D634511B14EBEB215F14ED4EFE677FCBB51B01F0001AAB683A10E0DBF4A9948A90

Function 001E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E22BE

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E22D0
_free.LIBCMT ref: 001E22E3
_free.LIBCMT ref: 001E22F4
_free.LIBCMT ref: 001E2305

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction ID: d6ca8b38e9bb9037032bab62aacad6769b57dcdf5d79695158cdd3a3c6d84a87
Opcode Fuzzy Hash: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction Fuzzy Hash: 85F054B94029748B8627AF65BC5A80C3B6CF738760711550AF518D72B6CB3404629FE5

Function 001C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001C95D4
StrokeAndFillPath.GDI32(?,?,002071F7,00000000,?,?,?), ref: 001C95F0
SelectObject.GDI32(?,00000000), ref: 001C9603
DeleteObject.GDI32 ref: 001C9616
StrokePath.GDI32(?), ref: 001C9631

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction ID: 041165ffe2e7b377dc57035ace0d26b2e48464c2cc4b38a1bdb8cc41f46c35ed
Opcode Fuzzy Hash: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction Fuzzy Hash: B3F04938007688EBDB265F69FD1CB683F69BB12322F148218F429550F2C73089A6DF20

Function 001E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001E10F9
__freea.LIBCMT ref: 001E1117

Part of subcall function 001E1537: _free.LIBCMT ref: 001E154F

Strings

a/p, xrefs: 001E11DE
am/pm, xrefs: 001E117A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction ID: 8d21ac3afbd2f09bd5225618bf5d820a66e592acec64acb4ae79dc46eb170715
Opcode Fuzzy Hash: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction Fuzzy Hash: CBD13871900AC6FBCB289F6AC845BFEB7B1FF05710F290159EA01AB654D3759D80CB91

Function 002361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00236238

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Part of subcall function 0022359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4
Part of subcall function 0022359C: LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

x#(, xrefs: 0023633A
x#(, xrefs: 0023636F
x#(, xrefs: 00236353

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#($x#($x#(
API String ID: 1072379062-2662966677
Opcode ID: 189b81a6f43c4caa42e3e2b423d14f794ad20c2c966b82780d699f640bacd1ac
Instruction ID: 6c08e0d3cd7b6e3fe9ac4cd88b05a236058826808b6a3d82e0501cb2e89d4191
Opcode Fuzzy Hash: 189b81a6f43c4caa42e3e2b423d14f794ad20c2c966b82780d699f640bacd1ac
Instruction Fuzzy Hash: 82C191B1A10106AFDB24DF98C894EBEB7B9FF58300F548069FA059B291DB70ED55CB90

Function 00212716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121D0,?,?,00000034,00000800,?,00000034), ref: 0021B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00212760

Part of subcall function 0021B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0021B3F8

Part of subcall function 0021B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0021B355
Part of subcall function 0021B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B365
Part of subcall function 0021B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0021281A

Strings

@, xrefs: 00212832

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction ID: af1217ee90a4dd57993368d32725668dd1cdeeb8b3c268d513a9c986851cf8f1
Opcode Fuzzy Hash: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction Fuzzy Hash: 84413D76900218AFDB15DFA4CD85ADEBBB8AF15300F108095FA55B7181DB706E99CB60

Function 001E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 001E1769
_free.LIBCMT ref: 001E1834
_free.LIBCMT ref: 001E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 001E1760, 001E1767, 001E1796, 001E17CE

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction ID: 7eb12facd3046c36f18d5ddccad06fa7de1bc4753dd7361cdbc0aafd7b0139f4
Opcode Fuzzy Hash: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction Fuzzy Hash: 5F31AD75E00698BBDB21DB9A9C85D9EBBFCEB95710B1041AAF80497251D7708E41CBA0

Function 00244416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0024CC08,00000000,?,?,?,?), ref: 002444AA
GetWindowLongW.USER32 ref: 002444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002444D7

Strings

SysTreeView32, xrefs: 0024447C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction ID: b1fa946a6eb5f23ae3d98e16698dc0d78ae5145074afbc4eb2bc07d7924f2ae2
Opcode Fuzzy Hash: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction Fuzzy Hash: 0531A231220606AFDF24AF38DC45BDA77A9EB19334F204715F979921D0D770EC609B50

Function 00216E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00216EED
VariantCopyInd.OLEAUT32(?,?), ref: 00216F08
VariantClear.OLEAUT32(?), ref: 00216F12

Strings

*j!, xrefs: 00216E8B, 00216E90, 00216EF8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j!
API String ID: 2173805711-434145623
Opcode ID: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction ID: 6d0cbc5a248b00fcb39342350f6d7927b8397e8f74fe06f4a63f6d0de03ef931
Opcode Fuzzy Hash: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction Fuzzy Hash: F331B371618205DFCB15AFA4E8999FD37B9FFA5300B2004A8F9034B6B1C7B09D62DB90

Function 0023304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00233077,?,?), ref: 00233378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0023307A
_wcslen.LIBCMT ref: 0023309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00233106

Strings

255.255.255.255, xrefs: 00233095, 0023309A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction ID: c58452be27aa32a140eab2000abf6839e7990d6f318c52d1508b0bd62476b558
Opcode Fuzzy Hash: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction Fuzzy Hash: 5431D5B96142069FCB24CF28C585EA977F0EF14318F248059E9158F392DB72DF55CB60

Function 00243EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00243F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00243F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00243F78

Strings

SysMonthCal32, xrefs: 00243F0B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7dc399c1afa2a5625f78f9962930ba84282726d0424e931bc75a603911e338c5
Instruction ID: e04c99024f81129089189e50731fc511848c2d97d903cef0ef65713e3677a6ec
Opcode Fuzzy Hash: 7dc399c1afa2a5625f78f9962930ba84282726d0424e931bc75a603911e338c5
Instruction Fuzzy Hash: 1721BF32620219BBDF29CF54DC46FEA3B79EF48714F120214FE196B1D0D6B5A8648B90

Function 00244653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00244705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00244713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0024471A

Strings

msctls_updown32, xrefs: 00244684

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction ID: e98dd7ade292568764f96816b9c817cb8ce2f5ff2c108341e7b91ab109620628
Opcode Fuzzy Hash: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction Fuzzy Hash: 3C218EB5611209AFDB15EF68DC85DA777ADEB5A394B000059FA049B391CB30EC22CB60

Function 002195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021961D

Strings

#requireadmin, xrefs: 002195D9
#OnAutoItStartRegister, xrefs: 002195F3
#notrayicon, xrefs: 002195B7

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0d49c196dbf139cee514464eb6bfe55303dfe48409bb0cd998014c7288bc13a0
Instruction ID: 9082aecd07a259718bcc1af5d9b1666712a241b98efbdf2daae4eeeb7b4d3235
Opcode Fuzzy Hash: 0d49c196dbf139cee514464eb6bfe55303dfe48409bb0cd998014c7288bc13a0
Instruction Fuzzy Hash: D3215E3212415166D331AF249C22FF773DDEFB5300F504026FA4997181EB91ADE2C2E5

Function 002437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00243840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00243850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00243876

Strings

Listbox, xrefs: 0024380F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction ID: 36f4009f7866b1fffe29743b6234b81194869c1ec5a73f67e13670dd581d34f6
Opcode Fuzzy Hash: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction Fuzzy Hash: AD21BE72620219BBEB25CF54DC85EAB7B6EEF99760F108124F9449B190C671DC628BA0

Function 002249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00224A5C
SetErrorMode.KERNEL32(00000000,?,?,0024CC08), ref: 00224AD0

Strings

%lu, xrefs: 00224A6F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction ID: 8668e3102ae54e82b91b0fbea34c0678229bfdb40f7c69a1b98296000c037faf
Opcode Fuzzy Hash: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction Fuzzy Hash: 10318575A00119AFD710DF54D885EAA7BF8EF09304F148099F909DB252D771EE46CB61

Function 002441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0024424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00244264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00244271

Strings

msctls_trackbar32, xrefs: 00244226

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction ID: 7f42da36749c99528b26e3b0cd6027cab047b0b36e9409851ef8482e0f64b861
Opcode Fuzzy Hash: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction Fuzzy Hash: 6B110631250208BEEF24AF29CC06FAB3BACEF95B54F110624FE55E6090D6B1DC219B10

Function 00212F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Part of subcall function 00212DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
Part of subcall function 00212DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
Part of subcall function 00212DA7: GetCurrentThreadId.KERNEL32 ref: 00212DDD
Part of subcall function 00212DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

GetFocus.USER32 ref: 00212F78

Part of subcall function 00212DEE: GetParent.USER32(00000000), ref: 00212DF9

GetClassNameW.USER32(?,?,00000100), ref: 00212FC3
EnumChildWindows.USER32(?,0021303B), ref: 00212FEB

Strings

%s%d, xrefs: 00212FFF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction ID: 4b5fbb34c167b021e1f1999ca8968bff57901b3a9147c7222f0c59c98a4e55e7
Opcode Fuzzy Hash: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction Fuzzy Hash: 78110275310205ABCF44BF64DC85EEE37AAAFA9304F008079F9099B142DF3099998F30

Function 00245882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458EE
DrawMenuBar.USER32(?), ref: 002458FD

Strings

0, xrefs: 0024588F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e8fdbe9efec6cf94bba345469ac73592a22aa0399d9c5029f6730522e3d552f5
Instruction ID: 743996ba1e425549ce50345e4596d46df9416ca3ba41efd0c9fbc20f604048c0
Opcode Fuzzy Hash: e8fdbe9efec6cf94bba345469ac73592a22aa0399d9c5029f6730522e3d552f5
Instruction Fuzzy Hash: 3001C031510228EFDB209F11EC48FAEBBB5FF45760F108099E889DA152DB308A90EF60

Function 0021007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction ID: 160dc08fe53587e0f1673dd42095b7eac83f2419a528721a8fda53c8e9bfbd3e
Opcode Fuzzy Hash: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction Fuzzy Hash: 4EC15C75A1020AEFDB14CF94C898AAEB7B5FF58304F208598E815EB251D7B1EDD1CB90

Function 001E3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001E3F0B
__alldvrm.LIBCMT ref: 001E410C
__alldvrm.LIBCMT ref: 001E412E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c535dff05a867f5b7533df5970f6b4203bbaa0acff021f278027878da395843d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 4FA17772E00BC69FEB25CF1AC8917BEBBE4EF65350F1841ADE5958B281C3349981C751

Function 0023342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00233459
CoUninitialize.OLE32 ref: 00233463
VariantInit.OLEAUT32(?), ref: 0023346E
VariantClear.OLEAUT32(?), ref: 0023371B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 7fca55e28abf3714fb9b3797f898f9c7544e4ddeee2bd9ead112abe587874846
Instruction ID: 440294e29696ee91340549a8e15f0c37873b52dfb9df069ab323a8873e52ecd2
Opcode Fuzzy Hash: 7fca55e28abf3714fb9b3797f898f9c7544e4ddeee2bd9ead112abe587874846
Instruction Fuzzy Hash: 0CA14AB56143019FC710DF28C586A6AB7E5FF88714F04885DF98A9B3A2DB30EE01CB91

Function 00210436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 002105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 00210608
CLSIDFromProgID.OLE32(?,?,00000000,0024CC40,000000FF,?,00000000,00000800,00000000,?,0024FC08,?), ref: 0021062D
_memcmp.LIBVCRUNTIME ref: 0021064E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cecd374b207b3bca9823696dc5b15170d5ac44ee13cf5832b4682c1851dd4a39
Instruction ID: b99f3ba9bbb86beca8d8111502a07ddceb08dd22b8b48c1cf1b021225a583421
Opcode Fuzzy Hash: cecd374b207b3bca9823696dc5b15170d5ac44ee13cf5832b4682c1851dd4a39
Instruction Fuzzy Hash: 31813B71A10109EFCB04DF94C984EEEB7F9FF99315F204158E506AB250DB71AE86CB60

Function 0023A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0023A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0023A6BA

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0023A79C
CloseHandle.KERNEL32(00000000), ref: 0023A7AB

Part of subcall function 001CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001F3303,?), ref: 001CCE8A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f1068d4837d71e99a182e2b33f300121cf539452df91a4ebe7f84994f65df73c
Instruction ID: f58b2de340b2a29522fc98e38d6902b81d41aaebc5c4a9290069ba707b9405a9
Opcode Fuzzy Hash: f1068d4837d71e99a182e2b33f300121cf539452df91a4ebe7f84994f65df73c
Instruction Fuzzy Hash: E8512CB1508301AFD710EF24D886E6BBBE8FF99754F40492DF58997251EB30D905CB92

Function 001F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F14C0

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction ID: a4f29dd2a330cbe48ccff73a0510edd9c9aa0f3aa1e6b75909889545d9eb33bd
Opcode Fuzzy Hash: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction Fuzzy Hash: 2D414D3150050CFBDB25ABFE9C466BE3AA5EFA1330F240226FA19D72D2E73489415271

Function 00246278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002462E2
ScreenToClient.USER32(?,?), ref: 00246315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00246382

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction ID: 80053a7191c4fa01de80175db5b7ff06fa86d059dcfb3afd54c29731850b0afd
Opcode Fuzzy Hash: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction Fuzzy Hash: 5C515E74A1024AEFCF18DF58D8889AE7BB5FF46760F108199F8159B290D730EDA1CB51

Function 00231AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00231AFD
WSAGetLastError.WSOCK32 ref: 00231B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00231B8A
WSAGetLastError.WSOCK32 ref: 00231B94

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction ID: 9e19b63df0fa96c3231c8699e4d5c9c586c7b3c41c14e9bf4f8abd301c53af08
Opcode Fuzzy Hash: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction Fuzzy Hash: 5541C374600200AFE720AF24D88AF6A77E5AB54718F54848CF91A9F7D2D772DD52CB90

Function 001EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction ID: 672ad9ea4469452590b32411c32ffc795610b5134e9a158ddb7f7fc9b25b987e
Opcode Fuzzy Hash: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction Fuzzy Hash: 0041E672A04B44BFD7259F79CC81B6FBBA9EB94710F10452EF542DB2C2D771A9018780

Function 002256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00225783
GetLastError.KERNEL32(?,00000000), ref: 002257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002257FA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction ID: 4f8a76a0b3357b09f0f7df449efe38d449477741857b1de1e1e9ceefc141e863
Opcode Fuzzy Hash: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction Fuzzy Hash: E9412C39600621DFCB21DF55D445A5EBBF2EF99320B19C488E84AAB762CB74FD40CB91

Function 001ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001D6D71,00000000,00000000,001D82D9,?,001D82D9,?,00000001,001D6D71,8BE85006,00000001,001D82D9,001D82D9), ref: 001ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001ED9AB
__freea.LIBCMT ref: 001ED9B4

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction ID: 6cab86817125caf3ccca7f87cb7495b5440f2d5125b10447e64328ed17fc84d3
Opcode Fuzzy Hash: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction Fuzzy Hash: 10310F72A0064AABDF24CF66EC45EAE7BA5EF41314F150169FC09D7251EB35CD50CBA0

Function 002452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00245352
GetWindowLongW.USER32(?,000000F0), ref: 00245375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00245382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002453A8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction ID: 9be576f53b4187c37497af3561a9376894c8850170f23e289d72b4630f102fb0
Opcode Fuzzy Hash: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction Fuzzy Hash: F431C634A76A29EFEB389E14CC09FE83F65AB05390F544181FA90961E2C7F49DA0DB41

Function 0021AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0021ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0021AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0021AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0021ACC6

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction ID: 554a82ee8c7742784dfc67486fb23355b96c8bf5e0a15a1b406c257c002914e2
Opcode Fuzzy Hash: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction Fuzzy Hash: 51312830A213196FEF35CF698C087FA7BE5ABA9310F04421BE485921D1D37589E587D2

Function 00247674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0024769A
GetWindowRect.USER32(?,?), ref: 00247710
PtInRect.USER32(?,?,00248B89), ref: 00247720
MessageBeep.USER32(00000000), ref: 0024778C

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction ID: bb4d30d8644d387d25064c76a6c060c51b8b4d796cd37379e89d6f815263a37a
Opcode Fuzzy Hash: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction Fuzzy Hash: 1D41B338616215DFCB19CF58D898EA9B7F9FF49314F5540A8E424DB2A1C730E952CF90

Function 002416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002416EB

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

GetCaretPos.USER32(?), ref: 002416FF
ClientToScreen.USER32(00000000,?), ref: 0024174C
GetForegroundWindow.USER32 ref: 00241752

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction ID: 570236894e33a4186d3242f3771241048c5d38f544dd7d65d8d804c81617b552
Opcode Fuzzy Hash: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction Fuzzy Hash: A2315E75D10109AFCB04EFA9C881CEEBBF9EF59304B5080AAE415E7211D7319E45CBA0

Function 0021DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

_wcslen.LIBCMT ref: 0021DFCB
_wcslen.LIBCMT ref: 0021DFE2
_wcslen.LIBCMT ref: 0021E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0021E018

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 5ef26aca2ff83cf5245e55f6784410e3b3f4db02c3888120126771b4dcf814af
Instruction ID: 11059338cb22fa9382b4136f3cc419e19be1bee3f21085e41abd7cdc46b6b261
Opcode Fuzzy Hash: 5ef26aca2ff83cf5245e55f6784410e3b3f4db02c3888120126771b4dcf814af
Instruction Fuzzy Hash: 1C21B275900215EFCB20DFA8D981BAEB7F8EF69750F154069E805BB381D7709E41CBA1

Function 00248FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

GetCursorPos.USER32(?), ref: 00249001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00207711,?,?,?,?,?), ref: 00249016
GetCursorPos.USER32(?), ref: 0024905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00207711,?,?,?), ref: 00249094

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction ID: 16277a3f78526d29d986361b5ce432db2454ab9ec3b91fcec8c2c1d92cfd37ab
Opcode Fuzzy Hash: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction Fuzzy Hash: E121BF35611018EFDB29CF98D859EEB3BB9EB8A350F104069F905572A1C7319DA0DB60

Function 0021D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0024CB68), ref: 0021D2FB
GetLastError.KERNEL32 ref: 0021D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0021D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0024CB68), ref: 0021D376

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction ID: 1ed8007950ebeace61e6220a924150f641200eba6bc9f6d80424820be22994e4
Opcode Fuzzy Hash: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction Fuzzy Hash: 8221D170519202DF8300DF28D8818EA77E4EE66324F204A5DF8A9C72A1DB30D996CF93

Function 00211571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
Part of subcall function 00211014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
Part of subcall function 00211014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
Part of subcall function 00211014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002115BE
_memcmp.LIBVCRUNTIME ref: 002115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00211617
HeapFree.KERNEL32(00000000), ref: 0021161E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction ID: 46e715dfaec8c183b8f8ba499895e953c2e2ef155ca159ba8fe07aeeab1bd2f8
Opcode Fuzzy Hash: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction Fuzzy Hash: EC21BA31E11109EFDF00DFA4C948BEEB7F9EFA4344F184459E505AB241E731AAA4CBA0

Function 00242782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0024280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00242840

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b5ea6c756f06347efcf8ba0372c8b49419974ddfcb992538021d308951d37218
Instruction ID: 886d01a70823238aa48835d5290b49a64e2c1b347a2ccb3b16c4b2266bb6c961
Opcode Fuzzy Hash: b5ea6c756f06347efcf8ba0372c8b49419974ddfcb992538021d308951d37218
Instruction Fuzzy Hash: 82212435215111EFD7189B25C844FAAB799EF45324F648148F4168B6D2CB71FC46CBA0

Function 002178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00218D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218D8C
Part of subcall function 00218D7D: lstrcpyW.KERNEL32(00000000,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00218DB2
Part of subcall function 00218D7D: lstrcmpiW.KERNEL32(00000000,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217923
lstrcpyW.KERNEL32(00000000,?,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217984

Strings

cdecl, xrefs: 0021797B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1b05c1246497d5db439eb7f321a415daa0c7a677fc767fea6f3642b1c7eebab6
Instruction ID: 7e9e6a858d887f3940daacbe001d6429d043902a11c135ce137435a71f747cff
Opcode Fuzzy Hash: 1b05c1246497d5db439eb7f321a415daa0c7a677fc767fea6f3642b1c7eebab6
Instruction Fuzzy Hash: 4011293A210342ABCB159F38D844EBA77F5FFA5350B10402EF906C72A4EB31D861C791

Function 00247CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00247D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00247D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00247D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0022B7AD,00000000), ref: 00247D6B

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction ID: 32acb6291345bd602c617c58adc032187c8ec5c73a09621630ba991a2a45a8ea
Opcode Fuzzy Hash: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction Fuzzy Hash: F6117235625615EFCB149F68DC08E6A3BA9AF46360B258724F839D72F0D7309D61CB50

Function 00245660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002456BB
_wcslen.LIBCMT ref: 002456CD
_wcslen.LIBCMT ref: 002456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction ID: fb5e3f39cf90e841fd4b67f2ec1e12d082d13baece56d770595f6f00a7bdc613
Opcode Fuzzy Hash: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction Fuzzy Hash: 94112975620625A7EF28DF75CC85AEE776CFF11364F104026F955D6082E7B0C9A0CB60

Function 001E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3033fc889f9fadfd361521515455c54a886faf1fcf42653325f5be5c87b73270
Instruction ID: 6c1307b9677ef7409fd09025f993537640a98483b66bff9d7f8dd4420b65e366
Opcode Fuzzy Hash: 3033fc889f9fadfd361521515455c54a886faf1fcf42653325f5be5c87b73270
Instruction Fuzzy Hash: F801A2B2206EDA3EF61126BA7CC9F6F661CEF917B8B310325F525521D2DB718C004270

Function 00211A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00211A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A8A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction ID: 34b042461d4271d4702ad5bc90baf0d040db868d2f4d1fe3d8e1985c1438128c
Opcode Fuzzy Hash: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction Fuzzy Hash: AD11F73A901219FFEB119FA5C985FEDBBB8EF18750F200091EA04B7294D6716E60DB94

Function 0021E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0021E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0021E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0021E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0021E24D

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction ID: 9b55131b76df1ada7a6e35a564ade91030c19dabacc1ac7ceaf39405da6d8229
Opcode Fuzzy Hash: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction Fuzzy Hash: A111087AA05255BBCB019FACBC0DADE7FEC9B46321F104255FC14D3291D2B08D1087A0

Function 001DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001DCFF9,00000000,00000004,00000000), ref: 001DD218
GetLastError.KERNEL32 ref: 001DD224
__dosmaperr.LIBCMT ref: 001DD22B
ResumeThread.KERNEL32(00000000), ref: 001DD249

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction ID: 3d9def08cad7f398fb07fdcce8ea70e98293ad16e394ab9008559afcab3769d9
Opcode Fuzzy Hash: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction Fuzzy Hash: 3001D6368051047BC7115BA9EC09BAE7B6DDF92730F20025AF925922D0CF71C901C6A0

Function 00249EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

GetClientRect.USER32(?,?), ref: 00249F31
GetCursorPos.USER32(?), ref: 00249F3B
ScreenToClient.USER32(?,?), ref: 00249F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00249F7A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 133bf9917c9755c989858c2751571264933a5c9541896d346abc9cdc70b66506
Instruction ID: 35c7cc03b9c66d638ebb912b144c1cefef98884adc6c73837e09603b226e1e42
Opcode Fuzzy Hash: 133bf9917c9755c989858c2751571264933a5c9541896d346abc9cdc70b66506
Instruction Fuzzy Hash: BC11883691111AABDB04DF68D84ADEE77B8FB46301F110451F801E3440C330BEA6CBA1

Function 001B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
GetStockObject.GDI32(00000011), ref: 001B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction ID: 19635888d2630bdddcbfa0365adb37355365b5685f4eb64c365eb326a6e735ef
Opcode Fuzzy Hash: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction Fuzzy Hash: 7C11AD72102508BFEF165FA5DC48EFABB6DFF293A4F100205FA0456020D73A9C60DBA0

Function 001D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001D3B56

Part of subcall function 001D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001D3AD2
Part of subcall function 001D3AA3: ___AdjustPointer.LIBCMT ref: 001D3AED

_UnwindNestedFrames.LIBCMT ref: 001D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001D3BA4

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0fc5c3f0fb3fc0332af9ca935901b6af4b2eabcb1b283d3885431be9c6ccb54d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 74010C32100149BBDF125F95CC46EEB7F6DEF58794F04401AFE5896221C732E961EBA1

Function 001E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001B13C6,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue), ref: 001E30A5
GetLastError.KERNEL32(?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000,00000364,?,001E2E46), ref: 001E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000), ref: 001E30BF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction ID: f2f58d412ec4a7fdc1110c199268a5cf0e2095104ee7890ea031454904b5f123
Opcode Fuzzy Hash: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction Fuzzy Hash: 27012036302B62ABCB318B7FBC4C96F7B989F45771B210620F925D3140C721D901C6E0

Function 00217464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0021747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00217497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002174CA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction ID: 8ec2ef8c24f87e40661a09cf62f8d1722fea076c279dd6ef3ea788981da6137c
Opcode Fuzzy Hash: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction Fuzzy Hash: DC11A1B92163119BF7208F18ED08BD27BFCEB40B00F208569A656D6151D7B0E994DB60

Function 0021B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B126

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction ID: 4927eb5dc75630c05a96cdd957a40fcb7ed292791f356227b147d6b7c0e59804
Opcode Fuzzy Hash: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction Fuzzy Hash: 4211A130C1251DE7CF019FE8E9586EEBBB8FF1A310F214095D949B2141CB3055A08B51

Function 00247E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00247E33
ScreenToClient.USER32(?,?), ref: 00247E4B
ScreenToClient.USER32(?,?), ref: 00247E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00247E8A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2191fa4f4dc2c79f64f77e7e4f242f26988a59e8155f1d2a02dee7f3ad0b25c1
Instruction ID: 84d624370a6f678d4884b6df1131e464c6d71362495975799494a970b2dad03f
Opcode Fuzzy Hash: 2191fa4f4dc2c79f64f77e7e4f242f26988a59e8155f1d2a02dee7f3ad0b25c1
Instruction Fuzzy Hash: 841156B9D0020AAFDB41DF98D8849EEBBF9FF09310F509156E915E3210D735AA54CF50

Function 00212DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
GetCurrentThreadId.KERNEL32 ref: 00212DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction ID: 47e07f005e9bd3e3d8dc2e2436fac6ec2cd3a24e95ece2820a7f8999b6869e36
Opcode Fuzzy Hash: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction Fuzzy Hash: 3CE09275212628BBD7201FB6FC0DFEB3EACEF93BA1F214015F105D10809AA1C894C6B0

Function 00248863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00248887
LineTo.GDI32(?,?,?), ref: 00248894
EndPath.GDI32(?), ref: 002488A4
StrokePath.GDI32(?), ref: 002488B2

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction ID: 8f116180a69ff310c6dcb5c26dcb2837f6659bc974e60007e4b2a88b94803cd2
Opcode Fuzzy Hash: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction Fuzzy Hash: 1CF05E3A052259FADB125F98BC0DFCE3F59AF16310F148100FA11650E2C7755521CFE9

Function 001C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001C98CC
SetTextColor.GDI32(?,?), ref: 001C98D6
SetBkMode.GDI32(?,00000001), ref: 001C98E9
GetStockObject.GDI32(00000005), ref: 001C98F1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction ID: 2d13335ff2d00b7f21e4ca09bad725c82fae4af3c3d8281397cebabc8ed12257
Opcode Fuzzy Hash: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction Fuzzy Hash: 3AE06D35645280AAEB615F78BC0DBE83F20AB16336F248219F6FE580E2C7B156509B10

Function 0021162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00211634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002111D9), ref: 00211648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021164F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction ID: a70061a4cdf4c98216b10212b7c76d852c3d58476f9bfac58e29541c6130d614
Opcode Fuzzy Hash: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction Fuzzy Hash: 87E08635603211DBD7B01FE4BD0DB863BBCAF567D1F244808F745C9090D6B44490CB50

Function 0020D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D858
GetDC.USER32(00000000), ref: 0020D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction ID: e88c1a5e627de7bba64b76e695809260660b6b2b043a46da03edf64f06220cce
Opcode Fuzzy Hash: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction Fuzzy Hash: 46E01AB8801204DFCB819FE8E80CA6DBBB5FB49310F21D059F816E7260C7788911AF40

Function 0020D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D86C
GetDC.USER32(00000000), ref: 0020D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction ID: 72eabb65a76469d6b8ca09533813c725c443d78585f36074976b8d80c7239e3d
Opcode Fuzzy Hash: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction Fuzzy Hash: E9E04F78C01200DFCF909FB8E80C66DBBB5FB48310F219048F916E7260C77859019F40

Function 00224D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00224ED4

Strings

LPT, xrefs: 00224DFB
*, xrefs: 00224E10

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: abaa3cf30c3460f1eeab5912be1a3c3abf783e20ddc3cfeaa2a690ad06d040ac
Instruction ID: 1c867d3ef3199d04c06bbe4d146e8e27255cbbb60fbee8a3cf97955425ff44a2
Opcode Fuzzy Hash: abaa3cf30c3460f1eeab5912be1a3c3abf783e20ddc3cfeaa2a690ad06d040ac
Instruction Fuzzy Hash: 8191C375A10215EFCB14EF98D584EA9BBF1BF88304F158099E40A9F7A2C771ED85CB90

Function 00237771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,?,00000000,00000000), ref: 002378DD

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,00000000,?,00000000,00000000), ref: 0023783B

Strings

<s', xrefs: 002377C8

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s'
API String ID: 3544283678-1932024504
Opcode ID: aadc5b1034171d5cb391e795b47e5de7c3b2701b7d8c43d507b57ee463401a2d
Instruction ID: 6629b12767f69b8407eeb43c9f219f794a6ca593ea4213d65e551b768db2a681
Opcode Fuzzy Hash: aadc5b1034171d5cb391e795b47e5de7c3b2701b7d8c43d507b57ee463401a2d
Instruction Fuzzy Hash: D0613BB2924219EACF14EFA4CC91DFDB3B8BF28700F544129F542A7191EB749A15DBA0

Function 001CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001CE1B1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction ID: ac7be255200dba730d163655595e12842e9eb1815acfad704ebd2c933bb78353
Opcode Fuzzy Hash: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction Fuzzy Hash: ED51F035500346DFDF19DF28C481BBABBA8EF65310F258459E8919B2E1D734DDA2CB90

Function 001CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001CF2BB

Strings

@, xrefs: 001CF2AF

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction ID: 858963f615491f657ccf784da16378cb8b6c15f65ce8e6b5a243d2fd8642fd4f
Opcode Fuzzy Hash: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction Fuzzy Hash: CC5135714087449BD320AF14EC8ABABBBF8FB95300F81885DF5D9811A5EB709529CB66

Function 00235745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002357E0
_wcslen.LIBCMT ref: 002357EC

Strings

CALLARGARRAY, xrefs: 002357E6, 002357EB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a27210244ba15686f1a230d9bde87d02f98d4dac021993d000b76ac16bc1ac85
Instruction ID: f447a937a1b72c64ae235a2352a895cb2e318bbc98f0f550a24008f215404bff
Opcode Fuzzy Hash: a27210244ba15686f1a230d9bde87d02f98d4dac021993d000b76ac16bc1ac85
Instruction Fuzzy Hash: 4E41A071A1021A9FCB14DFA9C8859EEBBF5EF69310F204029E509A7251E7709D91CB90

Function 0022D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0022D13A

Strings

|, xrefs: 0022D10B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction ID: f695fb563630c114cea886aba31461950884e63b17d6915eb11fdeacb1d7e0df
Opcode Fuzzy Hash: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction Fuzzy Hash: D0313E75D10219ABCF15EFA4DC85AEEBFB9FF14300F100019F819A6166DB35A916DB50

Function 0024356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00243621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0024365C

Strings

static, xrefs: 002435BC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3885879ea9507851d5914ffd85013aed5c62be42f841dc0d1faf4e9ff4d19d32
Instruction ID: 6401768460c93f18d6b8e17d80b511ec904c0e65a3def622fb0a900d17c66c30
Opcode Fuzzy Hash: 3885879ea9507851d5914ffd85013aed5c62be42f841dc0d1faf4e9ff4d19d32
Instruction Fuzzy Hash: EF319E71120605AEDB14DF28DC81EFB73ADFF98724F118619F8A597280DB70ADA1CB64

Function 00244537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0024461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00244634

Strings

', xrefs: 0024458E

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction ID: d63ca288c62792d1908fe92c2a2630f388b14afdaf31f59d3d6ba1ad5e8e32c0
Opcode Fuzzy Hash: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction Fuzzy Hash: 40316A74A0130A9FDF18DFA9C980BDABBB9FF19300F50406AE905AB381D770A911CF90

Function 002431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0024327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00243287

Strings

Combobox, xrefs: 00243249

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction ID: 55a198b6d30c64e21f1866cb00862089565b6b1c4ab536601f1ef95d1c180f13
Opcode Fuzzy Hash: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction Fuzzy Hash: D011B2713202097FFF29DE54DC85EBB376AEB98364F104125FD189B290D6B19D618B60

Function 0021EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021EF1D

Strings

`, xrefs: 0021EF1B
HANDLE, xrefs: 0021EF16

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$`
API String ID: 176396367-1948523916
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: b2307d7150007cd79888ebbd1655713500235357677772f5ae2f1e3f55d52f11
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 0411DF715301159AEB288E14DC89BEDB3E8DFA0725F62406AEC01CA4C4E7B09AD28714

Function 00243710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

GetWindowRect.USER32(00000000,?), ref: 0024377A
GetSysColor.USER32(00000012), ref: 00243794

Strings

static, xrefs: 00243757

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction ID: 0c87c4e3d0040624784bc55eb94f1eea3e1bb3d74b574db20a323587160c23a0
Opcode Fuzzy Hash: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction Fuzzy Hash: F51129B262020AAFDB05DFA8CC46AEE7BB8EB09314F104515F995E2250D775E8619B50

Function 0022CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0022CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0022CDA6

Strings

<local>, xrefs: 0022CD66

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction ID: b90a2ef211f1dd138c58be928bfef25b91f87e142eecd1b566f4cb321e0281a3
Opcode Fuzzy Hash: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction Fuzzy Hash: B811C6752256327AD7384FA6AC49FEBBE6CEF127A4F204236B10983080D7749865D6F0

Function 00243429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002434BA

Strings

edit, xrefs: 0024348F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction ID: 0933123b1f9cef95ae37ccdd59deb3e7e66fd4fb8f8e1122caad91ec6a038b27
Opcode Fuzzy Hash: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction Fuzzy Hash: 8511CE71220209AFEB1A9F68EC44AFB376AEF15774F604324F964931E0C775DC619B60

Function 00216C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00216CB6
_wcslen.LIBCMT ref: 00216CC2

Strings

STOP, xrefs: 00216CBC, 00216CC1

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ac832b985f8c5a62b930eb48de1b7f20360719a95cc6462c2e465dfc65bfca1d
Instruction ID: 9be594c1e7088cb78503a9e516b03dc449056c5b7067f1e489b572ad8cd7db6f
Opcode Fuzzy Hash: ac832b985f8c5a62b930eb48de1b7f20360719a95cc6462c2e465dfc65bfca1d
Instruction Fuzzy Hash: 4101C4326205278BCB209FFDEC889FF77E5EA757107500525E85296190EB31D9A0C690

Function 00211CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00211D4C

Strings

ListBox, xrefs: 00211D16
ComboBox, xrefs: 00211CEB

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea1793bf6ec9e40c61f99d1ef2cc7e680d6310de300fcb73e159f47de0e77646
Instruction ID: f9d0746ea0ffbc0e591234d5d096b1053e54d1ab120eb630d9defff541569f9c
Opcode Fuzzy Hash: ea1793bf6ec9e40c61f99d1ef2cc7e680d6310de300fcb73e159f47de0e77646
Instruction Fuzzy Hash: B9012831621218AB8B08EFA4DC51CFE77E8FF66350B10050AF922572C1EB705969C6A0

Function 00211BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00211C46

Strings

ListBox, xrefs: 00211C10
ComboBox, xrefs: 00211BE5

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c31c4e8bd2ebf556a9da97c5bb1f5a566f623f0ac40ecbc4968b266fa2d0155e
Instruction ID: 1b52fc4a543e04067d6dd6c6521938d8be05288ba82ed66475f7ff06aa430dae
Opcode Fuzzy Hash: c31c4e8bd2ebf556a9da97c5bb1f5a566f623f0ac40ecbc4968b266fa2d0155e
Instruction Fuzzy Hash: 1201A7757A110967CB08EB90D9519FFB7E89F32340F14001AEA0667281EB709E7996F2

Function 00211C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00211CC8

Strings

ListBox, xrefs: 00211C94
ComboBox, xrefs: 00211C69

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2111f520068516fa5984f6736567e19b5f2bad50957e07492645a90d3bdd3524
Instruction ID: 9c30a1d3cd8e1b28a12566f205ad6557dfbf76a9a0512fcbdb1b660060922140
Opcode Fuzzy Hash: 2111f520068516fa5984f6736567e19b5f2bad50957e07492645a90d3bdd3524
Instruction Fuzzy Hash: A701A77565111967CF04EB94CA41AFF77E89B32340B140016F90677281EB719F7996F2

Function 001CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CA529

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Strings

3y , xrefs: 001CA545, 001CA54D, 001CA552
,%(, xrefs: 001CA509

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%($3y
API String ID: 2551934079-4283432193
Opcode ID: b26250e7498093433c40f4035daae183153add75dc273f084bd079afb877d5d7
Instruction ID: 0a0812938b8dbd5612a8818dec43cb9c34f6ec32288ea684bbe3174b4ba9b3b6
Opcode Fuzzy Hash: b26250e7498093433c40f4035daae183153add75dc273f084bd079afb877d5d7
Instruction Fuzzy Hash: 5E01F73264161897C50AF768EC5BFAD3368DF25724F90401DFA01572C2DF50DD068A97

Function 00211D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00211DD3

Strings

ListBox, xrefs: 00211DA0
ComboBox, xrefs: 00211D75

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 43926d1312a706a43e345d44e6a048b455adfd5633b8bd4725ed77627f13425a
Instruction ID: 228ad58346277c3532aee15ea66527f073b6f50ec9a40ca83417710aa348257c
Opcode Fuzzy Hash: 43926d1312a706a43e345d44e6a048b455adfd5633b8bd4725ed77627f13425a
Instruction Fuzzy Hash: 29F0F971A6121867CB04E7A4DC51BFF77A8AB22340F140915F922672C1EB7059288660

Function 00248172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00283018,0028305C), ref: 002481BF
CloseHandle.KERNEL32 ref: 002481D1

Strings

\0(, xrefs: 0024818A

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0(
API String ID: 3712363035-1880395983
Opcode ID: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction ID: 1ddd088edf47272c4b3633d07ca7125892ec8636e78d2f55c91860486be5ff5a
Opcode Fuzzy Hash: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction Fuzzy Hash: 79F054B9652300BAE320AB65BC49F773A5CEB15F54F004461FB08D51A1D6759A1093B5

Function 0023747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00237493
_wcslen.LIBCMT ref: 002374B9

Strings

3, 3, 16, 1, xrefs: 00237483

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction ID: d128cb1e136ccefc27b72f7dffb3b4dc795a9cb6103b6a28dc287ff08c3175f3
Opcode Fuzzy Hash: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction Fuzzy Hash: A4E0ABC6224321229234133A9CC197F4699CFDE350B10082BFA84C2366EBA49CB1C3A0

Function 00210B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00210B23

Strings

Error allocating memory., xrefs: 00210B1C
AutoIt, xrefs: 00210B17

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8dd5cc7f03e1f49a625d4dc13fbd02cef3128855dabe4e307496dc0d49f9ec95
Instruction ID: 1fb6cafaa1ad03e7aaa4aad8b3027956c632c5c0f6de793dad35e7f0350217fd
Opcode Fuzzy Hash: 8dd5cc7f03e1f49a625d4dc13fbd02cef3128855dabe4e307496dc0d49f9ec95
Instruction Fuzzy Hash: C8E0D83129531837D2143799BC43FC97B888F26B20F20442FF748555C38BE164A006E9

Function 001D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001D0D71,?,?,?,001B100A), ref: 001CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001B100A), ref: 001D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001B100A), ref: 001D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001D0D7F

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction ID: 01154ba2413158e7ac9cb9f3a644794d598470c9e5a7e49c0edc268728c4e4ae
Opcode Fuzzy Hash: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction Fuzzy Hash: 41E06D742007018BD3A1DFBCE5087827BE6AB18741F00892EE886C6751DBF4E4448BA1

Function 001CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CE3D5

Strings

0%(, xrefs: 001CE3B5
8%(, xrefs: 001CE3CA

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%($8%(
API String ID: 1385522511-1269923376
Opcode ID: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction ID: 3c72ebb03c3e15cecdd947367ccec0a9f4ab6553cb2eb1bb387e1fc66ac3a947
Opcode Fuzzy Hash: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction Fuzzy Hash: 59E020354A2950CBC60DA758B65DF4833D1FB3A320B94216DE001475D19B38B8458745

Function 00223017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0022302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00223044

Strings

aut, xrefs: 00223038

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction ID: 57dd727026c1e99c3fdf19810af352fd9aac1192b0334d3c600c5b099349fa21
Opcode Fuzzy Hash: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction Fuzzy Hash: 2DD05E7650132867DB60E7A8AC0EFCB3A6CDB06750F0002A1BA55E2091DAF09984CAD4

Function 0020D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0020D220

Strings

X64, xrefs: 0020D2A8
%.3d, xrefs: 0020D22B

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction ID: c3a8246ddff8426f00d8fdaeecbe3cf87b4ff57f1154181441572c2c08c16e21
Opcode Fuzzy Hash: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction Fuzzy Hash: 1DD0126582A318EECB9096D4DC49DBAB37CAB19301F608466FC0A91083D7B4D5286B61

Function 00242322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0024233F

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242325

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction ID: 1a429747ec781dcf9945cb32626ca5b818d35a598d7f2fcbcbedee680eb055ac
Opcode Fuzzy Hash: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction Fuzzy Hash: 38D0227A3E1300B7E6ACB330EC0FFCABA189B01B00F118902770AAA0D0C8F0A800CE00

Function 00242356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024236C
PostMessageW.USER32(00000000), ref: 00242373

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242365

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction ID: 80563e2d31249e039cfa295a2de972c903612479acf86070077fb524c7032412
Opcode Fuzzy Hash: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction Fuzzy Hash: E5D0A9763D23007AE6A8A330AC0FFCAA6189B02B00F1189027706AA0D0C8B0A8008A04

Function 001EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001EBE93
GetLastError.KERNEL32 ref: 001EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001EBEFC

Memory Dump Source

Source File: 00000000.00000002.2198006207.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.2197987837.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198116923.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198158302.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2198173580.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3f40aa5e66dd7a106d022d467917174ac3685f24f052aad5d86b2d31223f0e02
Instruction ID: 4851e07c72bcd395b7c21de86cc4458584f87ac6b8f8e64494a285381fb98152
Opcode Fuzzy Hash: 3f40aa5e66dd7a106d022d467917174ac3685f24f052aad5d86b2d31223f0e02
Instruction Fuzzy Hash: 24411A34609A86AFCF258F6ADCD4ABF7BA4EF42310F254169F959572A1DB308D01CB60

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1268387220&timestamp=1727788033886 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlaHLAQj6mM0BCIWgzQEI3L3NAQiPys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=hdMFKixWukTJDGmDoxIhtAd_eGP5b6OVQ3aUoATEDXLwj-tnshwULr8C-ofy60qdZLVF0C3bL92SfKTv8Dx0zpK0MlPu9iQky2JeopElrvSwWKwk2StD5D27zoTXgYPKR0mLaERYJ59HQdWeYcZutueqcp-Ke24c8MLzpBipEJ9JXMcl4w
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UM3WpNRVP3eRllF&MD=che9ckaB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UM3WpNRVP3eRllF&MD=che9ckaB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 001B42DE Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235
libraryloaderCOMMON

Function 001B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0021D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0023AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 001B344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 001B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 001B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 001B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 001B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre