Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523556
MD5:	536a43d3de5f4acf818bb41029651839
SHA1:	1ded3dacb997d6977f47c7a8358b302658007a09
SHA256:	803c36cb6711cb22db01a4a3cb2ff7685ba82841e688d6aa703d0fc72e763cbb
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 536A43D3DE5F4ACF818BB41029651839)

chrome.exe (PID: 7344 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7216 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5400 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7328	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_83.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_83.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.1657369461.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_75.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_83.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_83.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_75.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_75.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_83.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_83.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_83.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_83.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_83.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_75.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_83.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_83.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_83.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_75.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_83.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_83.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_75.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_83.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_83.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1656253064.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1655983297.0000000001704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_83.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0064EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0064ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0064EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0063AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0063AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00669576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00669576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1654946688.0000000000692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_62d67cd5-a
Source: file.exe, 00000000.00000000.1654946688.0000000000692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d63b488e-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1f983dc3-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3df37007-b

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0063D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0063D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00631201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00631201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0063E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0063E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DBF40	0_2_005DBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00642046	0_2_00642046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D8060	0_2_005D8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00638298	0_2_00638298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060E4FF	0_2_0060E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060676B	0_2_0060676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664873	0_2_00664873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DCAF0	0_2_005DCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FCAA0	0_2_005FCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ECC39	0_2_005ECC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00606DD9	0_2_00606DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EB119	0_2_005EB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D91C0	0_2_005D91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F1394	0_2_005F1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F1706	0_2_005F1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F781B	0_2_005F781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E997D	0_2_005E997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D7920	0_2_005D7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F19B0	0_2_005F19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F7A4A	0_2_005F7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F1C77	0_2_005F1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F7CA7	0_2_005F7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065BE44	0_2_0065BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00609EEE	0_2_00609EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F1F32	0_2_005F1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005EF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005F0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@31/30@14/8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006437B5 GetLastError,FormatMessageW,

0_2_006437B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006310BF AdjustTokenPrivileges,CloseHandle,		0_2_006310BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006316C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006451CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0063D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0063D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0064648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005D42A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5400 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5400 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F0A76 push ecx; ret

0_2_005F0A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005EF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00661C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00661C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94487

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0063DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006468EE FindFirstFileW,FindClose,	0_2_006468EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0064698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0063D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0063D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00649642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00649642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00649B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00649B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00645C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00645C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D42DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064EAA2 BlockInput,

0_2_0064EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00602622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00602622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F4CE8 mov eax, dword ptr fs:[00000030h]

0_2_005F4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00630B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00630B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00602622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00602622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005F083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F09D5 SetUnhandledExceptionFilter,	0_2_005F09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005F0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00631201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00612BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00612BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0063B226 SendInput,keybd_event,

0_2_0063B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006522DA

Source: C:\Users\user\Desktop\file.exe

0_2_00630B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00631663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00631663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F0698 cpuid

0_2_005F0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00648195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00648195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0062D27A GetUserNameW,

0_2_0062D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0060BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0060BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00651204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00651806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.186.142	true	false	unknown
www3.l.google.com	142.250.185.142	true	false	unknown
play.google.com	142.250.185.110	true	false	unknown
www.google.com	142.250.185.132	true	false	unknown
youtube.com	142.250.185.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_83.3.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_83.3.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_75.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_83.3.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_75.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_83.3.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_83.3.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_83.3.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_83.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_83.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	unknown	United States	15169	GOOGLEUS	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.110	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523556
Start date and time:	2024-10-01 18:50:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@31/30@14/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.184.206, 64.233.167.84, 34.104.35.123, 172.217.16.131, 142.250.185.163, 142.250.186.106, 172.217.18.10, 216.58.206.42, 142.250.184.202, 142.250.181.234, 142.250.185.74, 172.217.16.202, 216.58.206.74, 142.250.186.138, 216.58.212.138, 142.250.186.42, 172.217.16.138, 216.58.212.170, 142.250.186.170, 142.250.74.202, 142.250.186.74, 142.250.184.234, 142.250.185.106, 142.250.185.170, 142.250.185.234, 142.250.185.202, 142.250.185.138, 199.232.214.172, 192.229.221.95, 142.250.185.67, 64.233.166.84, 142.250.186.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	Audio_Msg..00299229202324Transcript.html	Get hash	malicious	Unknown	Browse
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse
	$R3ET6JM.htm	Get hash	malicious	Unknown	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	HTMLPhisher	Browse
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	$R3ET6JM.htm	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	Play_VM-Now(Tina.lawvey)CQDM.html	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 184.28.90.27
	https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCA	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://0.pwsinc.shop/?MKPT=Inc	Get hash	malicious	Captcha Phish	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789948199046733
Encrypted:	false
SSDEEP:	3072:H0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:HlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	347C4D39594D38A3D6809E18ADD124A6
SHA1:	DB975BC89E63D7A9942B1DFC5861D4EB13BFA78B
SHA-256:	B64E99E9CCC589D315F53868A2140154B16609A246D90BC4052CA5DA5B7BF6E1
SHA-512:	774F9F7EFDE53E8D884A06514039947E9D6399A8B0DA703FC290213D1832F9FB877C0D8B925B33A01AA85BCA203038A1D18E87991193DE349E90F5D4329D3CB8
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFOppGSZx8socZIrVC7cvQS0xsEZw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2146d860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBi2UQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlE_AKDvSw5nLjp568Wqpy45S7OTYg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5797684864265795
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	536a43d3de5f4acf818bb41029651839
SHA1:	1ded3dacb997d6977f47c7a8358b302658007a09
SHA256:	803c36cb6711cb22db01a4a3cb2ff7685ba82841e688d6aa703d0fc72e763cbb
SHA512:	f4ef677f5bc042ec4410cc8a3ebf48f9e6e63b68fc94bd53028e5bc5b84a7949466ea48d9fdd58906f811e13d77eb2b6a2a8ef25767998e26a8e59611fe0f7c6
SSDEEP:	12288:YqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagTn:YqDEvCTbMWu7rQYlBQcBiT6rprG8a4n
TLSH:	45159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC2706 [Tue Oct 1 16:44:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA6B8F4F1E3h
jmp 00007FA6B8F4EAEFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6B8F4ECCDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6B8F4EC9Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA6B8F5188Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA6B8F518D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA6B8F518C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	46a2063796f7593204e016fd7c3a1a5f	False	0.286015625	data	5.164194835659661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x874	data			1.005083179297597
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 18:50:53.671353102 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 1, 2024 18:50:59.731123924 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:50:59.731156111 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:50:59.731214046 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:50:59.733098030 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:50:59.733112097 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.448235035 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.459934950 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.459945917 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.460484028 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.460546970 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.461082935 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.461131096 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.466578960 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.466639996 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.467147112 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.467154026 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.513729095 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.770509958 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.778713942 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.778768063 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.779166937 CEST	49732	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:00.779179096 CEST	443	49732	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:00.790359020 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:00.790412903 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:00.790476084 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:00.790723085 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:00.790755033 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.436279058 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.436830997 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.436881065 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.437326908 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.437390089 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.438054085 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.438106060 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.441107035 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.441174030 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.441323996 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.441339970 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.483102083 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.754308939 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.754323959 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.754410982 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.754460096 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.754686117 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.754883051 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.756517887 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.756550074 CEST	443	49736	142.250.186.142	192.168.2.4
Oct 1, 2024 18:51:01.756571054 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:01.757286072 CEST	49736	443	192.168.2.4	142.250.186.142
Oct 1, 2024 18:51:03.280317068 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 1, 2024 18:51:04.087033033 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.087089062 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.087174892 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.087377071 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.087424040 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.137927055 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.137948990 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:04.138016939 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.139468908 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.139481068 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:04.760359049 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.760556936 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.760592937 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.761493921 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.761552095 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.762502909 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.762572050 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.810405016 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.810426950 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:04.811789989 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:04.811856985 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.815788031 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.815794945 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:04.816219091 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:04.857270002 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.857274055 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:04.869350910 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:04.915410995 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.098073006 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.098191023 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.098236084 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.279567003 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.279581070 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.279589891 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.279596090 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.393233061 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.393285036 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:05.393369913 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.393801928 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:05.393834114 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.045245886 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.045300961 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.046834946 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.046844006 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.047049999 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.048291922 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.095411062 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.326092958 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.326206923 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.326283932 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.327220917 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.327220917 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 18:51:06.327260971 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:06.327272892 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 18:51:08.871201038 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:08.871226072 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:08.871331930 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:08.871527910 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:08.871537924 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.615566015 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.615788937 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.615799904 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.616343975 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.616398096 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.617362022 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.617408991 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.618278980 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.618350983 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.618640900 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.618648052 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.671622038 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.938677073 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.938739061 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.938790083 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.938806057 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.938817024 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.938855886 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.944679976 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.944739103 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.950766087 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.950805902 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.950822115 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.950829029 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.950850964 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.958214998 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.958285093 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.958290100 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.963287115 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.963332891 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.963342905 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.963347912 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:09.963402033 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:09.966454029 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:09.966494083 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:09.966574907 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:09.969072104 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:09.969089031 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.027138948 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.027185917 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.027331114 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.027338982 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.027348995 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.027389050 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.027393103 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.027434111 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.033549070 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.033631086 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.034009933 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.034060001 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.039941072 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.040018082 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.045996904 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.046061993 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.046066999 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.052476883 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.052542925 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.052547932 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.058789968 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.058841944 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.058846951 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.058944941 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.058990955 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.127779007 CEST	49756	443	192.168.2.4	142.250.185.142
Oct 1, 2024 18:51:10.127787113 CEST	443	49756	142.250.185.142	192.168.2.4
Oct 1, 2024 18:51:10.152903080 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.152915001 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.153007984 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.153465033 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.153475046 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.599621058 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.599839926 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.599860907 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.600260019 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.600318909 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.600851059 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.600902081 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.601763010 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.601818085 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.602000952 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.602010965 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.655464888 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.810412884 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.810925007 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.810935974 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.811512947 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.811569929 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.812537909 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.812597036 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.812721968 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.812796116 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.812943935 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.812949896 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.855953932 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.901110888 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.901591063 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.901628017 CEST	443	49760	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.901690006 CEST	49760	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.902343035 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.902386904 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:10.902451992 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.902709007 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:10.902725935 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.115098000 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.115631104 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.115668058 CEST	443	49761	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.115725994 CEST	49761	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.116588116 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.116612911 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.116683006 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.117067099 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.117079973 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.552160025 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.552345037 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.552371025 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.552755117 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.552817106 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.553354025 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.553407907 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.553498983 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.553559065 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.553617001 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.553627968 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.553643942 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.594125032 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.594132900 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.797128916 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.797826052 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.797878027 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.798713923 CEST	49764	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.798732042 CEST	443	49764	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.844130993 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.844355106 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.844364882 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.844863892 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.844928026 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.845854044 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.845916986 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.846081972 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.846157074 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.846298933 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.846304893 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.846321106 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:11.887408018 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:11.887981892 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:12.061125994 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:12.063575983 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:12.063642025 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:12.064305067 CEST	49765	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:12.064311981 CEST	443	49765	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:12.815614939 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:12.863401890 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085323095 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085381031 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085414886 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085441113 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085465908 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:13.085480928 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085510969 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:13.085561037 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:13.085612059 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:13.086429119 CEST	49741	443	192.168.2.4	142.250.185.132
Oct 1, 2024 18:51:13.086437941 CEST	443	49741	142.250.185.132	192.168.2.4
Oct 1, 2024 18:51:15.898351908 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:15.898379087 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:15.898509026 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:15.899379969 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:15.899394035 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:16.745454073 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:16.745524883 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:16.749229908 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:16.749239922 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:16.749454975 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:16.795850039 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.479187012 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.523403883 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751585007 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751615047 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751625061 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751646042 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751698017 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751714945 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.751714945 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.751739025 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751751900 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751794100 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.751801014 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.751831055 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.751990080 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.753026962 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.753061056 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:17.754266977 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:17.878158092 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:17.878180027 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:17.878257990 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:17.878567934 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:17.878578901 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.392251968 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:18.392270088 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:18.392281055 CEST	49772	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:18.392287016 CEST	443	49772	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:18.552186012 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.552423954 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.552442074 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.552815914 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.553210020 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.553289890 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.553399086 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.553415060 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.553426981 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.893569946 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.894679070 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:18.894747019 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.895515919 CEST	49777	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:18.895529032 CEST	443	49777	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:21.403862000 CEST	80	49723	84.201.210.20	192.168.2.4
Oct 1, 2024 18:51:21.403999090 CEST	49723	80	192.168.2.4	84.201.210.20
Oct 1, 2024 18:51:21.404031038 CEST	49723	80	192.168.2.4	84.201.210.20
Oct 1, 2024 18:51:21.405420065 CEST	80	49723	84.201.210.20	192.168.2.4
Oct 1, 2024 18:51:21.405473948 CEST	49723	80	192.168.2.4	84.201.210.20
Oct 1, 2024 18:51:21.405530930 CEST	80	49723	84.201.210.20	192.168.2.4
Oct 1, 2024 18:51:21.405575037 CEST	49723	80	192.168.2.4	84.201.210.20
Oct 1, 2024 18:51:21.410258055 CEST	80	49723	84.201.210.20	192.168.2.4
Oct 1, 2024 18:51:41.657519102 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.657551050 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:41.657607079 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.657902002 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.657915115 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:41.703526974 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.703540087 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:41.703588963 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.703898907 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.703907967 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:41.797274113 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.797307014 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:41.797380924 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.797652006 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:41.797666073 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.340163946 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.340390921 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.340405941 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.340712070 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.341265917 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.341319084 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.341434956 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.341455936 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.341466904 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.428396940 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.428654909 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.428664923 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.429012060 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.429328918 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.429387093 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.429528952 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.429548979 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.429557085 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.494133949 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.494421959 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.494432926 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.494738102 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.494795084 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.495342970 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.495408058 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.495512962 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.495563984 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.495651007 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.495657921 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.495671988 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.543399096 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.549313068 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.641371012 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.642462015 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.642545938 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.642999887 CEST	49781	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.643018961 CEST	443	49781	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.711189985 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.711767912 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.711850882 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.712650061 CEST	49783	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.712656975 CEST	443	49783	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.734560013 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.755464077 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:42.755568027 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.755939960 CEST	49782	443	192.168.2.4	142.250.185.110
Oct 1, 2024 18:51:42.755945921 CEST	443	49782	142.250.185.110	192.168.2.4
Oct 1, 2024 18:51:54.845752954 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:54.845783949 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:54.845865965 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:54.846187115 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:54.846205950 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:55.907588005 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:55.907668114 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:55.912286997 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:55.912297964 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:55.912519932 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:55.923934937 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:55.967431068 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.249121904 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.249145031 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.249185085 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.249248028 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.249258995 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.249310970 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.251049995 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.251084089 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.251117945 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.251121044 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.251174927 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.255234957 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.255244017 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:51:56.255264044 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 18:51:56.255269051 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 18:52:04.137825012 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:04.137878895 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.137964010 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:04.138163090 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:04.138180017 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.794573069 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.794857979 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:04.794915915 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.795212984 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.795492887 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:04.795564890 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:04.841893911 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:09.906107903 CEST	49724	80	192.168.2.4	88.221.110.91
Oct 1, 2024 18:52:09.911500931 CEST	80	49724	88.221.110.91	192.168.2.4
Oct 1, 2024 18:52:09.911588907 CEST	49724	80	192.168.2.4	88.221.110.91
Oct 1, 2024 18:52:12.433296919 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.433319092 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:12.433377981 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.433600903 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.433614969 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:12.486236095 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.486269951 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:12.486408949 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.486555099 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:12.486567020 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.077394009 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.077997923 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.078008890 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.078326941 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.078576088 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.078634024 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.079375029 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.079395056 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.079411983 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.141383886 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.141587973 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.141611099 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.141922951 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.142185926 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.142254114 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.142330885 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.142330885 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.142359972 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.389229059 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.389353037 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.389425993 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.391087055 CEST	49788	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.391093969 CEST	443	49788	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.446094036 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.446192980 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:13.446244955 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.446743965 CEST	49789	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:13.446763992 CEST	443	49789	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:14.687886953 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:14.687939882 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:14.687993050 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:28.601685047 CEST	49786	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:52:28.601723909 CEST	443	49786	142.250.184.196	192.168.2.4
Oct 1, 2024 18:52:43.082782030 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.082814932 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.082886934 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.084598064 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.084611893 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.453984976 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.454088926 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.454189062 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.454395056 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.454432964 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.731369019 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.731746912 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.731759071 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.732074022 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.733095884 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.733148098 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:43.733349085 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.733417988 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:43.733427048 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.050492048 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.052309036 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.052376032 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.052469015 CEST	49791	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.052479029 CEST	443	49791	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.106093884 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.106327057 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.106364012 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.106745958 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.107053995 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.107129097 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.107192993 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.107229948 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.107242107 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.404438972 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.404861927 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:52:44.405025959 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.405320883 CEST	49792	443	192.168.2.4	172.217.18.14
Oct 1, 2024 18:52:44.405349016 CEST	443	49792	172.217.18.14	192.168.2.4
Oct 1, 2024 18:53:04.189055920 CEST	49793	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:53:04.189095974 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.189219952 CEST	49793	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:53:04.189749956 CEST	49793	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:53:04.189765930 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.818454027 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.818797112 CEST	49793	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:53:04.818818092 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.819274902 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.819577932 CEST	49793	443	192.168.2.4	142.250.184.196
Oct 1, 2024 18:53:04.819657087 CEST	443	49793	142.250.184.196	192.168.2.4
Oct 1, 2024 18:53:04.874233007 CEST	49793	443	192.168.2.4	142.250.184.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 18:50:59.603235960 CEST	51918	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:50:59.603801966 CEST	57129	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:50:59.610090971 CEST	53	51918	1.1.1.1	192.168.2.4
Oct 1, 2024 18:50:59.610377073 CEST	53	63555	1.1.1.1	192.168.2.4
Oct 1, 2024 18:50:59.610573053 CEST	53	57129	1.1.1.1	192.168.2.4
Oct 1, 2024 18:50:59.614265919 CEST	53	64103	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:00.748763084 CEST	53	51777	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:00.781246901 CEST	49394	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:00.781512976 CEST	64870	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:00.789812088 CEST	53	49394	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:00.789844036 CEST	53	64870	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:04.077931881 CEST	65205	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:04.078058004 CEST	53918	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:04.086230040 CEST	53	65205	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:04.086267948 CEST	53	53918	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:06.182300091 CEST	53	52824	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:08.859554052 CEST	53463	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:08.860006094 CEST	55367	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:08.866832972 CEST	53	53463	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:08.867173910 CEST	53	55367	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:09.937155962 CEST	49580	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:09.937220097 CEST	57803	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:51:09.944446087 CEST	53	49580	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:09.945368052 CEST	53	57803	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:11.930318117 CEST	53	59548	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:17.739949942 CEST	53	57582	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:21.494529009 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 18:51:36.569485903 CEST	53	51846	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:59.085469007 CEST	53	50180	1.1.1.1	192.168.2.4
Oct 1, 2024 18:51:59.468761921 CEST	53	53372	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:04.129045010 CEST	51335	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:52:04.129180908 CEST	64762	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:52:04.135938883 CEST	53	51335	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:04.137258053 CEST	53	64762	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:10.900902987 CEST	53	50422	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:12.424360037 CEST	57509	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:52:12.424484968 CEST	58530	53	192.168.2.4	1.1.1.1
Oct 1, 2024 18:52:12.432135105 CEST	53	57509	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:12.432969093 CEST	53	58530	1.1.1.1	192.168.2.4
Oct 1, 2024 18:52:28.610153913 CEST	53	55026	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 18:50:59.603235960 CEST	192.168.2.4	1.1.1.1	0xc031	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:50:59.603801966 CEST	192.168.2.4	1.1.1.1	0xe588	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 18:51:00.781246901 CEST	192.168.2.4	1.1.1.1	0x6c92	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.781512976 CEST	192.168.2.4	1.1.1.1	0x8fb	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 18:51:04.077931881 CEST	192.168.2.4	1.1.1.1	0xcca9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:04.078058004 CEST	192.168.2.4	1.1.1.1	0xe466	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 18:51:08.859554052 CEST	192.168.2.4	1.1.1.1	0x6a5f	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:08.860006094 CEST	192.168.2.4	1.1.1.1	0x79f3	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 18:51:09.937155962 CEST	192.168.2.4	1.1.1.1	0x5399	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:09.937220097 CEST	192.168.2.4	1.1.1.1	0xc855	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 18:52:04.129045010 CEST	192.168.2.4	1.1.1.1	0xd03c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:52:04.129180908 CEST	192.168.2.4	1.1.1.1	0xc49b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 18:52:12.424360037 CEST	192.168.2.4	1.1.1.1	0x8fa4	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:52:12.424484968 CEST	192.168.2.4	1.1.1.1	0xcdca	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 18:50:59.610090971 CEST	1.1.1.1	192.168.2.4	0xc031	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:50:59.610573053 CEST	1.1.1.1	192.168.2.4	0xe588	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789812088 CEST	1.1.1.1	192.168.2.4	0x6c92	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789844036 CEST	1.1.1.1	192.168.2.4	0x8fb	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 18:51:00.789844036 CEST	1.1.1.1	192.168.2.4	0x8fb	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 18:51:04.086230040 CEST	1.1.1.1	192.168.2.4	0xcca9	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:04.086267948 CEST	1.1.1.1	192.168.2.4	0xe466	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 18:51:08.866832972 CEST	1.1.1.1	192.168.2.4	0x6a5f	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 18:51:08.866832972 CEST	1.1.1.1	192.168.2.4	0x6a5f	No error (0)	www3.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:51:08.867173910 CEST	1.1.1.1	192.168.2.4	0x79f3	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 18:51:09.944446087 CEST	1.1.1.1	192.168.2.4	0x5399	No error (0)	play.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:52:04.135938883 CEST	1.1.1.1	192.168.2.4	0xd03c	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Oct 1, 2024 18:52:04.137258053 CEST	1.1.1.1	192.168.2.4	0xc49b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 18:52:12.432135105 CEST	1.1.1.1	192.168.2.4	0x8fa4	No error (0)	play.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	142.250.185.142	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:00 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:00 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 16:51:00 GMT Date: Tue, 01 Oct 2024 16:51:00 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.186.142	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:01 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:01 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 16:51:01 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 17:21:01 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=7lb1Lz_7WoE; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=qpE_OdD2etg; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 16:51:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgTQ%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 16:51:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:04 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 16:51:05 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=172485 Date: Tue, 01 Oct 2024 16:51:05 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 16:51:06 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=172428 Date: Tue, 01 Oct 2024 16:51:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 16:51:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	142.250.185.142	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:09 UTC	1237	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1327898630&timestamp=1727801468384 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:09 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-WWh7NNjK92XMeWytGyBi9g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 16:51:09 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw1pBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-PvhQ_b2QQuHN3ayaykl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAA-L0t9A" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 57 57 68 37 4e 4e 6a 4b 39 32 58 4d 65 57 79 74 47 79 42 69 39 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="WWh7NNjK92XMeWytGyBi9g">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-01 16:51:09 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-01 16:51:10 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-01 16:51:10 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49760	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:10 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:10 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:10 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49761	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:10 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:11 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:11 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:11 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 34 36 39 34 35 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801469454",null,null,null
2024-10-01 16:51:11 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=H5WYqo6Ko6WhB2fDsDVFiRpOk8a4kifI8bGU60fnAcrnXXU3k37ffOcGV6RNhsOrWmC-jOXbrfKmLuS2O6IbgOCwbueT9Rpj_Dso8eyADuqnX-kbiREUt5XhuXfAhJO-T2z19Wma3cGYxtLzlx22WRPBSdnSNaq4oQ2-CfS-Qtu51BINjA; expires=Wed, 02-Apr-2025 16:51:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 16:51:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:11 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49765	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:11 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 16:51:11 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 34 36 39 36 38 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801469682",null,null,null
2024-10-01 16:51:12 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=0jIR8A63mCRIzTBwmdGqIqWjWghRcH8gCIZLMboZZ11qnbl-WtS7MwujYzAzMhY1rElGXEhzAXUjlgxv3xejc8Rj61e-r23QsRNi-qfhq6hUAeHTv6WRTrrPuw-zJtP5S2B4KUXWcwZuoFnJW5cO3feC6VO7gzB-EcBh-CajFnwLqbnWYw; expires=Wed, 02-Apr-2025 16:51:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:11 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 16:51:11 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	142.250.185.132	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:12 UTC	1213	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=0jIR8A63mCRIzTBwmdGqIqWjWghRcH8gCIZLMboZZ11qnbl-WtS7MwujYzAzMhY1rElGXEhzAXUjlgxv3xejc8Rj61e-r23QsRNi-qfhq6hUAeHTv6WRTrrPuw-zJtP5S2B4KUXWcwZuoFnJW5cO3feC6VO7gzB-EcBh-CajFnwLqbnWYw
2024-10-01 16:51:13 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 15:08:05 GMT Expires: Wed, 09 Oct 2024 15:08:05 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 6187 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 16:51:13 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 16:51:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-01 16:51:13 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 16:51:13 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-01 16:51:13 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49772	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:17 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EuaRpt6nfYoHfLm&MD=6Nzt8SER HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 16:51:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: e4484e07-c36d-4780-91bf-a084119aebbf MS-RequestId: a8187056-cc88-4f1b-9d0a-821f4c9709de MS-CV: BvUUi92KNkmuuGzW.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 16:51:16 GMT Connection: close Content-Length: 24490
2024-10-01 16:51:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 16:51:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49777	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:18 UTC	1298	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=0jIR8A63mCRIzTBwmdGqIqWjWghRcH8gCIZLMboZZ11qnbl-WtS7MwujYzAzMhY1rElGXEhzAXUjlgxv3xejc8Rj61e-r23QsRNi-qfhq6hUAeHTv6WRTrrPuw-zJtP5S2B4KUXWcwZuoFnJW5cO3feC6VO7gzB-EcBh-CajFnwLqbnWYw
2024-10-01 16:51:18 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 30 31 34 36 37 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727801467000",null,null,null,
2024-10-01 16:51:18 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw; expires=Wed, 02-Apr-2025 16:51:18 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:18 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 16:51:18 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:18 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49781	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:42 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1168 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:51:42 UTC	1168	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 30 31 31 38 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801501186",null,null,null
2024-10-01 16:51:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49782	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:42 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1125 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:51:42 UTC	1125	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 30 31 32 33 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801501233",null,null,null
2024-10-01 16:51:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49783	142.250.185.110	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:42 UTC	1289	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1038 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:51:42 UTC	1038	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-01 16:51:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:51:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:51:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:51:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49784	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:51:55 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EuaRpt6nfYoHfLm&MD=6Nzt8SER HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 16:51:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 81717a7e-a2a4-485a-8139-08051875270b MS-RequestId: 52283533-59ff-40ab-b508-2b4f33c71e1a MS-CV: 1NDKelRu7kSisHwE.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 16:51:55 GMT Connection: close Content-Length: 30005
2024-10-01 16:51:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 16:51:56 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49788	172.217.18.14	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:52:13 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1324 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:52:13 UTC	1324	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 33 31 39 36 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801531960",null,null,null
2024-10-01 16:52:13 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:52:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:52:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:52:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49789	172.217.18.14	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:52:13 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1413 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:52:13 UTC	1413	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 33 32 30 32 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801532022",null,null,null
2024-10-01 16:52:13 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:52:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:52:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:52:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49791	172.217.18.14	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:52:43 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1327 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:52:43 UTC	1327	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 36 32 35 39 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801562597",null,null,null
2024-10-01 16:52:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:52:43 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:52:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:52:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49792	172.217.18.14	443	7564	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 16:52:44 UTC	1329	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1313 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=KVDJ0MHpkjX--EFyBhrC6-eSQ9YvModw-JBQGHdgtWrgkH6waj2tfTAiFF-hON3ZDQHVulEh-6MZX4Dx5kgmue-IS5I7dN3wmzNL8CiP9HL6uv3nn8NgHFvfCRZ-Zgz9pZdGqb1Dxd8_q_Vnd3R6LWR9Qt9xw5hQihvxoVJSi18Up2Q0FaZNF-mERw
2024-10-01 16:52:44 UTC	1313	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 31 35 36 32 39 39 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727801562990",null,null,null
2024-10-01 16:52:44 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 16:52:44 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 16:52:44 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 16:52:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:50:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x5d0000
File size:	917'504 bytes
MD5 hash:	536A43D3DE5F4ACF818BB41029651839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:50:58
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:50:58
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:51:09
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5400 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:51:09
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=2052,i,10817149236646276970,9107877768745341469,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	1435
Total number of Limit Nodes:	37

Executed Functions

Function 005D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005D430D

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

GetCurrentProcess.KERNEL32(?,0066CB64,00000000,?,?), ref: 005D4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 005D4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 005D4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005D4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 005D4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 005D447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005D44A0

Strings

kernel32.dll, xrefs: 005D444F
GetNativeSystemInfo, xrefs: 005D4460
|O, xrefs: 006136F8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: c7dfaecc9cbb2905997f6da12a6d14750935640c66cee1fe0572f76e40fb8831
Instruction ID: 59e376a22e45d12bb2042e10b5a884806188669c55b1463747b93ac5f6100ced
Opcode Fuzzy Hash: c7dfaecc9cbb2905997f6da12a6d14750935640c66cee1fe0572f76e40fb8831
Instruction Fuzzy Hash: 3BA1916190A6E0DFCF21EF6D78401E57FE77B27340F08689AD0819BB62D6706988CF65

Function 005D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005D50AA,?,?,00000000,00000000), ref: 005D42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005D50AA,?,?,00000000,00000000), ref: 005D42C9
LoadResource.KERNEL32(?,00000000,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20), ref: 006135BE
SizeofResource.KERNEL32(?,00000000,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20), ref: 006135D3
LockResource.KERNEL32(005D50AA,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20,?), ref: 006135E6

Strings

SCRIPT, xrefs: 005D42BF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 998065ab5100cd6b988080ae65b8f6734b4b03592624ed03ca2f06c92038cd5d
Instruction ID: cf69c9c1d30a5f3a7f3755b631b35847fe8ea26174c0ffc0e82e80015da85a54
Opcode Fuzzy Hash: 998065ab5100cd6b988080ae65b8f6734b4b03592624ed03ca2f06c92038cd5d
Instruction Fuzzy Hash: 10117C74200B01BFE7218B69DC48F677BBEEBC5B61F14816AF846D6350DBB1DD009A60

Function 00612BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 005D2B6B

Part of subcall function 005D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A1418,?,005D2E7F,?,?,?,00000000), ref: 005D3A78

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00692224), ref: 00612C10
ShellExecuteW.SHELL32(00000000,?,?,00692224), ref: 00612C17

Strings

runas, xrefs: 00612C0B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f399578145d39ab1b1ae271bc4cf3a09d62d0bc952e91c93166a15f37b8eebe6
Instruction ID: cb875cb172d9e19fe290f6770fb4bfba21fe9c8a4362b903275e3cae874b4569
Opcode Fuzzy Hash: f399578145d39ab1b1ae271bc4cf3a09d62d0bc952e91c93166a15f37b8eebe6
Instruction Fuzzy Hash: 5A11BB312083435AD724FF6CD8599BE7FA6BBE6750F04141FF082562A2CF61494AD713

Function 0063D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0063D501
Process32FirstW.KERNEL32(00000000,?), ref: 0063D50F
Process32NextW.KERNEL32(00000000,?), ref: 0063D52F
CloseHandle.KERNELBASE(00000000), ref: 0063D5DC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8d96e4225675dae5a297ee99c9104d753579b252fa4542dbc22e1f090718192d
Instruction ID: d436865c8641f3ad509055f1ff5e57fdce1fabce12116ffd7048bbd4ebb77642
Opcode Fuzzy Hash: 8d96e4225675dae5a297ee99c9104d753579b252fa4542dbc22e1f090718192d
Instruction Fuzzy Hash: 67319E711082019FD311EF54D885AAFBFE9FFD9354F14092EF581822A1EB719949CB92

Function 0063DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00615222), ref: 0063DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0063DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0063DBEE
FindClose.KERNEL32(00000000), ref: 0063DBFA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d4fec68f29f840d69fe43d771d3d2f4d3f0bf3cbd1e05bf4cb0bdca0bcc483b2
Instruction ID: 7b3aa2fbe15a827ac916c31ff358473973d5170cb4871a479b8ab476f50efd50
Opcode Fuzzy Hash: d4fec68f29f840d69fe43d771d3d2f4d3f0bf3cbd1e05bf4cb0bdca0bcc483b2
Instruction Fuzzy Hash: 34F0A0B082091057C3206B78AC0D8BA776E9F02374F106702F8B6C22E0EBF09A5586D5

Function 005F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000,?,006028E9), ref: 005F4D09
TerminateProcess.KERNEL32(00000000,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000,?,006028E9), ref: 005F4D10
ExitProcess.KERNEL32 ref: 005F4D22

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 363d56d5da46dc876e6b7ab678932a5099975d2efc052091b0e51823ba5ddeea
Instruction ID: 37626a4e1ff3dffb2df72a662841e7a4adbbcb23f4e4c6cee9216540a1ea3689
Opcode Fuzzy Hash: 363d56d5da46dc876e6b7ab678932a5099975d2efc052091b0e51823ba5ddeea
Instruction Fuzzy Hash: 60E0B631000948ABDF11AF55DD09A6A3F6AFB85791B104018FD55DA222DB79DD42CE80

Function 005DBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#j, xrefs: 006207CE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#j
API String ID: 3964851224-3095285349
Opcode ID: 4f6b44c5310c007b5de895d7e877808c074c468885fae45bbdcff089692c2057
Instruction ID: 15c520fef14d4c32bad02094485376768aaec2d03d5559e8c2e4fc79d45adf46
Opcode Fuzzy Hash: 4f6b44c5310c007b5de895d7e877808c074c468885fae45bbdcff089692c2057
Instruction Fuzzy Hash: D3A258706083529FD724DF18C484B6ABBE1BF89304F14896EE89A9B352D771EC45CF92

Function 0065AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0065B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065B1D4
_wcslen.LIBCMT ref: 0065B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065B236
_wcslen.LIBCMT ref: 0065B332

Part of subcall function 006405A7: GetStdHandle.KERNEL32(000000F6), ref: 006405C6

_wcslen.LIBCMT ref: 0065B34B
_wcslen.LIBCMT ref: 0065B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065B3B6
GetLastError.KERNEL32(00000000), ref: 0065B407
CloseHandle.KERNEL32(?), ref: 0065B439
CloseHandle.KERNEL32(00000000), ref: 0065B44A
CloseHandle.KERNEL32(00000000), ref: 0065B45C
CloseHandle.KERNEL32(00000000), ref: 0065B46E
CloseHandle.KERNEL32(?), ref: 0065B4E3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 029e61c71d32f00a64ea55926235a40b7195598010679b7df8185883a526c6f6
Instruction ID: 7110f9d821f4f2d8f8184391f31db32e9609d9a45d718ac4d567ff757b90e525
Opcode Fuzzy Hash: 029e61c71d32f00a64ea55926235a40b7195598010679b7df8185883a526c6f6
Instruction Fuzzy Hash: 0FF17A316043419FC724EF24C895B6ABBE6BF85310F14855EF8859B3A2DB31EC49CB52

Function 005DD730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005DD807
timeGetTime.WINMM ref: 005DDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005DDB28
TranslateMessage.USER32(?), ref: 005DDB7B
DispatchMessageW.USER32(?), ref: 005DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005DDB9F
Sleep.KERNEL32(0000000A), ref: 005DDBB1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 97570c9e4fae760312515fa4cb2573b00126fa276e864c8bc07e6a2dafcde863
Instruction ID: cb00c8c3d07955d792f0f0418e8f699ba810535bba048e4c0c64d7e2ed234a13
Opcode Fuzzy Hash: 97570c9e4fae760312515fa4cb2573b00126fa276e864c8bc07e6a2dafcde863
Instruction Fuzzy Hash: 9C42C330608642EFD734DF28D854BAABBB2BF46314F14855BE4958B391D771E844CFA2

Function 005D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005D2D07
RegisterClassExW.USER32(00000030), ref: 005D2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D2D42
InitCommonControlsEx.COMCTL32(?), ref: 005D2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D2D6F
LoadIconW.USER32(000000A9), ref: 005D2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D2D94

Strings

AutoIt v3 GUI, xrefs: 005D2D23
0, xrefs: 005D2CE9
TaskbarCreated, xrefs: 005D2D37
+, xrefs: 005D2CF0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 121b6a6a6e8762139e365b1bc254bcaefe27fb6114374e8c543223a2f51bdb62
Instruction ID: 6e47a437f9c65f56e95d4876de84832cf65a562f6e3e7fc1d11d957aa11f6066
Opcode Fuzzy Hash: 121b6a6a6e8762139e365b1bc254bcaefe27fb6114374e8c543223a2f51bdb62
Instruction Fuzzy Hash: B521E3B5901318AFDB00EFA4E849BEEBFB6FB0A721F00511AF551AA2A0D7B11544CF91

Function 0061065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0061039A: CreateFileW.KERNELBASE(00000000,00000000,?,00610704,?,?,00000000,?,00610704,00000000,0000000C), ref: 006103B7

GetLastError.KERNEL32 ref: 0061076F
__dosmaperr.LIBCMT ref: 00610776
GetFileType.KERNELBASE(00000000), ref: 00610782
GetLastError.KERNEL32 ref: 0061078C
__dosmaperr.LIBCMT ref: 00610795
CloseHandle.KERNEL32(00000000), ref: 006107B5
CloseHandle.KERNEL32(?), ref: 006108FF
GetLastError.KERNEL32 ref: 00610931
__dosmaperr.LIBCMT ref: 00610938

Strings

H, xrefs: 006108BD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d9da52d9082221312aa4cbc5f481e600d4c2da53e870eeacb8586744edd160ee
Instruction ID: 1798ea5f7325338798029abd64ce6ef5554c59f3f50ba091bca0b282bdd8ca53
Opcode Fuzzy Hash: d9da52d9082221312aa4cbc5f481e600d4c2da53e870eeacb8586744edd160ee
Instruction Fuzzy Hash: BDA13632A041098FEF19AF68DC51BEE3BA2AF46320F18015DF815AB3D1D7759C92CB91

Function 005D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A1418,?,005D2E7F,?,?,?,00000000), ref: 005D3A78

Part of subcall function 005D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005D3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005D356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0061318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006131CE
RegCloseKey.ADVAPI32(?), ref: 00613210
_wcslen.LIBCMT ref: 00613277
_wcslen.LIBCMT ref: 00613286

Strings

Include, xrefs: 00613184, 006131C5
\, xrefs: 0061328C
\Include\, xrefs: 005D3527
Software\AutoIt v3\AutoIt, xrefs: 005D3560

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b249a9b325a56a3127998eef590fd2cb207530e09d9195f16a1550e06053e075
Instruction ID: 8242ff6da22076c9baa103c76eae84895858cff74ecb8bb2bf988659163b016e
Opcode Fuzzy Hash: b249a9b325a56a3127998eef590fd2cb207530e09d9195f16a1550e06053e075
Instruction Fuzzy Hash: D471AE714443029EC714EF69DCA58ABBBE9FF86750F40182FF58583260EB74AA48CF52

Function 005D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005D2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 005D2B9D
LoadIconW.USER32(00000063), ref: 005D2BB3
LoadIconW.USER32(000000A4), ref: 005D2BC5
LoadIconW.USER32(000000A2), ref: 005D2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005D2BEF
RegisterClassExW.USER32(?), ref: 005D2C40

Part of subcall function 005D2CD4: GetSysColorBrush.USER32(0000000F), ref: 005D2D07
Part of subcall function 005D2CD4: RegisterClassExW.USER32(00000030), ref: 005D2D31
Part of subcall function 005D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D2D42
Part of subcall function 005D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 005D2D5F
Part of subcall function 005D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D2D6F
Part of subcall function 005D2CD4: LoadIconW.USER32(000000A9), ref: 005D2D85
Part of subcall function 005D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D2D94

Strings

AutoIt v3, xrefs: 005D2C2F
0, xrefs: 005D2C0F
#, xrefs: 005D2C16

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 97b48bc258768ce6bf64ebb1c7ab3b65e3596867caa2393bdefd589cde972e3f
Instruction ID: 18c2268aee73dce6d041230a9f13eb41993d55b765fef6ae60d03cf6059125ac
Opcode Fuzzy Hash: 97b48bc258768ce6bf64ebb1c7ab3b65e3596867caa2393bdefd589cde972e3f
Instruction Fuzzy Hash: 47211A74E00314AFDF10AFA5EC55AA97FF6FB4AB60F00101AE504AA6A0D7B12A40CF90

Function 005D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,005D316A,?,?), ref: 005D31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,005D316A,?,?), ref: 005D3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005D3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,005D316A,?,?), ref: 005D3232
CreatePopupMenu.USER32 ref: 005D3246
PostQuitMessage.USER32(00000000), ref: 005D3267

Strings

TaskbarCreated, xrefs: 005D322D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 583c89664fdea885ccc3b7216330c2c8510ca255019d6ef8b92cfc99520eab9d
Instruction ID: 8e81bdae0e3874294409674844df09396b25aaa47e9548416c1085355eca7878
Opcode Fuzzy Hash: 583c89664fdea885ccc3b7216330c2c8510ca255019d6ef8b92cfc99520eab9d
Instruction Fuzzy Hash: 3141E639640506AADB342FACDC2D7BA3E1BFB47350F081527F541893A1C6A19E40DBA2

Function 005D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005D1459
CoUninitialize.COMBASE ref: 005D14F8
UnregisterHotKey.USER32(?), ref: 005D16DD
DestroyWindow.USER32(?), ref: 006124B9
FreeLibrary.KERNEL32(?), ref: 0061251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0061254B

Strings

close all, xrefs: 005D1454

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 38524ae1380c44a209138ab9965a9900cf82650688dd921d3ee9863e039d2b99
Instruction ID: 5895fe6c6cfae3f25d7ebed209473f0b1c5ddb1aeb7784882b9cba4c1cbc290c
Opcode Fuzzy Hash: 38524ae1380c44a209138ab9965a9900cf82650688dd921d3ee9863e039d2b99
Instruction Fuzzy Hash: 71D18E307016139FCB29EF19C4A9AA9FBA6BF45710F14419EE44AAB351CB30ED62CF54

Function 005D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005D2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005D2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,005D1CAD,?), ref: 005D2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,005D1CAD,?), ref: 005D2CCF

Strings

AutoIt v3, xrefs: 005D2C89, 005D2C8E, 005D2C8F
edit, xrefs: 005D2CAC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cdb45b013b4631ff6e87ed1e6bf0be5e4780afb3ad880d3113f87b4672cd0cd1
Instruction ID: d41378e94a4aa311c1f6d7ad94e5a6d0a8956e32977f049ccdc68ccf9f44d8d5
Opcode Fuzzy Hash: cdb45b013b4631ff6e87ed1e6bf0be5e4780afb3ad880d3113f87b4672cd0cd1
Instruction Fuzzy Hash: FAF0DA765402A07BEB312B17AC08E772EBFD7C7F60F01205AF900EA5A0C6A52850DEB0

Function 005D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B83

Strings

Control Panel\Mouse, xrefs: 005D3B3E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7ffc909cf339578d7fba8c564678d06e5fc652883d6ad6d866434e598f4dd5c3
Instruction ID: d1556b42bb5398e3045e85049612467eac6fbfbd4be9dab7ce884f9f24f3ef89
Opcode Fuzzy Hash: 7ffc909cf339578d7fba8c564678d06e5fc652883d6ad6d866434e598f4dd5c3
Instruction Fuzzy Hash: 4D112AB5510208FFEB208FA9DC44AAEBBB8FF04754B10486BE845D7210E2719E409761

Function 005D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006133A2

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 005D3A04

Strings

Line: , xrefs: 006133EB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2f3805c765a09db86f335d44353b5becbc59f92a2d047bcac6e6f8bcb7a1f82d
Instruction ID: 405c494728e2e71e948c36302ee6df4c00669a1c576d2f101c4e7f57cde8fc4a
Opcode Fuzzy Hash: 2f3805c765a09db86f335d44353b5becbc59f92a2d047bcac6e6f8bcb7a1f82d
Instruction Fuzzy Hash: 5C31E471508315AAC730EF18DC49BEB7BD9BB81710F00192BF59987291EB70AA49CBD3

Function 005D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00612C8C

Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2

Part of subcall function 005D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D2DC4

Strings

X, xrefs: 00612C5A
`ei, xrefs: 00612C85

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ei
API String ID: 779396738-2233648704
Opcode ID: 153c8ef50e648fe4d0f87817de6873216a005d84ff3e0afe826df91f39f91041
Instruction ID: b5cd6713bb099c023baa0cf24eebfaa974cc761fe90043afdf41e64bbd8b026e
Opcode Fuzzy Hash: 153c8ef50e648fe4d0f87817de6873216a005d84ff3e0afe826df91f39f91041
Instruction Fuzzy Hash: C321A470A002589BCF51EF98C8097EE7FFDAF89304F00805BE505A7341DBB455898FA1

Function 005EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005F0668

Part of subcall function 005F32A4: RaiseException.KERNEL32(?,?,?,005F068A,?,006A1444,?,?,?,?,?,?,005F068A,005D1129,00698738,005D1129), ref: 005F3304

__CxxThrowException@8.LIBVCRUNTIME ref: 005F0685

Strings

Unknown exception, xrefs: 005F0692

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5a17e16e9df4cb954322cb3ec0e3d92802fd0e868a252e72d8316253ce79fd28
Instruction ID: dc7787ec63988373f9cc98afaf1f7e836778af451b09b29b53fc9fac0934e644
Opcode Fuzzy Hash: 5a17e16e9df4cb954322cb3ec0e3d92802fd0e868a252e72d8316253ce79fd28
Instruction Fuzzy Hash: 5BF0C23490020E778F04BAA5EC4ACBE7F6D7E80350B644531BB14DA5D2EF75EA25CA81

Function 005D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D1BF4
Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 005D1BFC
Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D1C07
Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D1C12
Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 005D1C1A
Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 005D1C22

Part of subcall function 005D1B4A: RegisterWindowMessageW.USER32(00000004,?,005D12C4), ref: 005D1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005D136A
OleInitialize.OLE32 ref: 005D1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006124AB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 79c9ae90a59911d1909122cf179c94ff1212103e677b7814c9482f884603da00
Instruction ID: 32fb241025cb9d10d449cc4859886128f1dfbc8b6130a48bc9b26954b913e1fd
Opcode Fuzzy Hash: 79c9ae90a59911d1909122cf179c94ff1212103e677b7814c9482f884603da00
Instruction Fuzzy Hash: 29719AF8D116118EC388FF7DA8596653EE3FB8B394F04A22A905ACF361EB3464018F54

Function 006086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006085CC,?,00698CC8,0000000C), ref: 00608704
GetLastError.KERNEL32(?,006085CC,?,00698CC8,0000000C), ref: 0060870E
__dosmaperr.LIBCMT ref: 00608739

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a953a7eda6f74ab6b39f91f911ac720a563248c5a674dc52feeea4b74cbaf4c8
Instruction ID: 1aa9d27e98b3de9bd37292d4c2e6f0d9c8fd4a078a6398c2ed37a8f9ed0ef4b1
Opcode Fuzzy Hash: a953a7eda6f74ab6b39f91f911ac720a563248c5a674dc52feeea4b74cbaf4c8
Instruction Fuzzy Hash: 6B018E32A946301EDB6CE334A8457BF2B4B4B92774F3A051DF8459B2D3EFA2CC818654

Function 005E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005E17F6

Strings

CALL, xrefs: 005E17C6

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0e22a03a8ac3ecf276211e5e314b06d84a64e7ce2f06b60153cfa110e15dca65
Instruction ID: bc21ca314b959817c2e56b9fef3ea0b9d88b3bc8b3f8cff5232961d917c2078a
Opcode Fuzzy Hash: 0e22a03a8ac3ecf276211e5e314b06d84a64e7ce2f06b60153cfa110e15dca65
Instruction Fuzzy Hash: 0E228B706087829FC718DF15C494A2ABBF2BF89314F14895DF4968B3A2D731E841CF96

Function 005D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D3908

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1d315504e2ecaaa40d044e9d47cffaf7aad8a3ce4c550a006d8ad635a3583d0c
Instruction ID: 985aee70c18362b5593e0962be94a52b0b9b595328caf653aa03ff38d7fe53bc
Opcode Fuzzy Hash: 1d315504e2ecaaa40d044e9d47cffaf7aad8a3ce4c550a006d8ad635a3583d0c
Instruction Fuzzy Hash: 7E3193B05057019FD720EF28D884797BBE4FB4A718F00092FF59A97380E7B1AA44DB52

Function 005D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E9C
Part of subcall function 005D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D4EAE
Part of subcall function 005D4E90: FreeLibrary.KERNEL32(00000000,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EFD

Part of subcall function 005D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E62
Part of subcall function 005D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D4E74
Part of subcall function 005D4E59: FreeLibrary.KERNEL32(00000000,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E87

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c2bde09f9c0a5d7140c9bc52c48db941951fff7be9a8b71de43f58f8bee6188d
Instruction ID: 19d7db263839333eeb229c06171a97775e57494547dec6a4f4377c1662798597
Opcode Fuzzy Hash: c2bde09f9c0a5d7140c9bc52c48db941951fff7be9a8b71de43f58f8bee6188d
Instruction Fuzzy Hash: 1B119431610207ABDB34AB68D81ABAD7BA5BF80710F10442FF542A63E1EE749A459B51

Function 00608402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00608440

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c09155578f7dfa56d7fad9625e3e360b0eca477f4fa75aee55e5ea8f5bdb493d
Instruction ID: 656de7eb35e5410caee334f0307ce157b6df157dbaaed7a70f5c5f51c8d63dc6
Opcode Fuzzy Hash: c09155578f7dfa56d7fad9625e3e360b0eca477f4fa75aee55e5ea8f5bdb493d
Instruction Fuzzy Hash: 1211067590410AAFCB09DF58E9419DB7BF5EF48314F144099F808AB352DA31EA118BA5

Function 00605000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00604C7D: RtlAllocateHeap.NTDLL(00000008,005D1129,00000000,?,00602E29,00000001,00000364,?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?), ref: 00604CBE

_free.LIBCMT ref: 0060506C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: a22c3d20efab02afac13fee568ba4a89dce7c500d43d8873112c67219eb3724d
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F0014E722447055BE3358F55D84599FFBEEFB85370F25091DE186832C0EA306805CB74

Function 005FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: db8acdf5fabf5a04d63d32f32ac4a39ce2eed5119d7a5437955293a2927511a0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 18F0F932510A1C9AC6353E65AC0AB7B3B99AF92330F100B19F621D71E2DF78980186A9

Function 00604C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,005D1129,00000000,?,00602E29,00000001,00000364,?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?), ref: 00604CBE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a7b0931efb186a7febaad214bba5efb44fa32acf1e3b0a4d1c5afdf556a08f9
Instruction ID: 617a7ca275ac73957a99dff3d5920d621fc773557dd93191cffde9949225c3d6
Opcode Fuzzy Hash: 6a7b0931efb186a7febaad214bba5efb44fa32acf1e3b0a4d1c5afdf556a08f9
Instruction Fuzzy Hash: F7F0B47168222967FB395F629C09BAB3B8ABF817A0F144111FB19AA3C0CE71D80146E0

Function 00603820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddd0821339011aced2ff01467d1f160748247d4867104de23ddb7ea312bd46a2
Instruction ID: 11215f2f0da3461671b56e8887a1666e65cb721e5df1eb3c9bed38f9b6a6e99c
Opcode Fuzzy Hash: ddd0821339011aced2ff01467d1f160748247d4867104de23ddb7ea312bd46a2
Instruction Fuzzy Hash: 64E0E53118023956D7252A669C04BEB3B4FAF837B2F0580A0FD06967C0CB11EE0186E1

Function 005D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4F6D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f1c2d120c2740f7e1db4331e61d9671e6703485d7228b8e9a6a0fae1ef6123fe
Instruction ID: 48263dd34edf05ba385d231c6e79eb695b4eb1e5163b4567b7fb78d2e802c220
Opcode Fuzzy Hash: f1c2d120c2740f7e1db4331e61d9671e6703485d7228b8e9a6a0fae1ef6123fe
Instruction Fuzzy Hash: 16F01571105792CFDB349F68E494822BFE4BF143293208D6FE2EA82721CB319844DF10

Function 005D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 005D314E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6ce8ca35ea0c8822c5d7ced2628fea1ded56891be4614131547be37a0d049a4d
Instruction ID: 30bc078734cf44b81534311c1db1be9a209484ada515a678247caa4b9a37d4c4
Opcode Fuzzy Hash: 6ce8ca35ea0c8822c5d7ced2628fea1ded56891be4614131547be37a0d049a4d
Instruction Fuzzy Hash: BEF037709143589FEB52EF64DC497DA7BFCB702708F0010E5A68896291DBB45788CF51

Function 005D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D2DC4

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0097ed18f5fcd5e0266c1842e1ce6ddd872bd63becee797940c0150c19aa85a6
Instruction ID: a13fe42d67ad340a61d46bbdca8a8325bb38b7ccd026340ea5e2178f09086dc6
Opcode Fuzzy Hash: 0097ed18f5fcd5e0266c1842e1ce6ddd872bd63becee797940c0150c19aa85a6
Instruction Fuzzy Hash: 6FE0CD726041245BC720A2589C05FEA77DDDFC8790F044076FD09D7248D960AD818590

Function 005D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D3908

Part of subcall function 005DD730: GetInputState.USER32 ref: 005DD807

SetCurrentDirectoryW.KERNEL32(?), ref: 005D2B6B

Part of subcall function 005D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 005D314E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4cd4cf068ac82b64cb5887d9a3751055c81af1da2f13d569806279fa902f7667
Instruction ID: bcf4d0495b20ef5818f58a4ff2710d013c4cc48e0a38da36660a5d673553c680
Opcode Fuzzy Hash: 4cd4cf068ac82b64cb5887d9a3751055c81af1da2f13d569806279fa902f7667
Instruction Fuzzy Hash: B9E0262130020606C724BB3CA81A5BDAF9AFBE7351F00143FF04287362CE644A454723

Function 0061039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00610704,?,?,00000000,?,00610704,00000000,0000000C), ref: 006103B7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e71153d4d028747fc7b47b461783ee3da38fdf25db6b64fa104a4b0db6e8b96e
Instruction ID: f0cb12b7a0ce7ada8c37dfe1dfb2e1a13e97d0723726b2afc167b080658274e3
Opcode Fuzzy Hash: e71153d4d028747fc7b47b461783ee3da38fdf25db6b64fa104a4b0db6e8b96e
Instruction Fuzzy Hash: E7D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000FE5856020C772E821AB90

Function 005D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 005D1CBC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d631d20c3c72c86bd71cb0f2f1dc98c1b1c6c064bca413cb01e26037720b5b5a
Instruction ID: e2681cfdeab473b499b1418a13bc9f2afd693b29750693276b1f4a8788b2605b
Opcode Fuzzy Hash: d631d20c3c72c86bd71cb0f2f1dc98c1b1c6c064bca413cb01e26037720b5b5a
Instruction Fuzzy Hash: C0C09B352C03059FF7145B84BC5AF107756B349B10F045001F649595E3C3E13430DE50

Non-executed Functions

Function 00669576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0066961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0066969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006696C9
SendMessageW.USER32 ref: 006696F2
GetKeyState.USER32(00000011), ref: 0066978B
GetKeyState.USER32(00000009), ref: 00669798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006697AE
GetKeyState.USER32(00000010), ref: 006697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006697E9
SendMessageW.USER32 ref: 00669810
SendMessageW.USER32(?,00001030,?,00667E95), ref: 00669918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0066992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00669941
SetCapture.USER32(?), ref: 0066994A
ClientToScreen.USER32(?,?), ref: 006699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006699D6
ReleaseCapture.USER32 ref: 006699E1
GetCursorPos.USER32(?), ref: 00669A19
ScreenToClient.USER32(?,?), ref: 00669A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00669A80
SendMessageW.USER32 ref: 00669AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00669AEB
SendMessageW.USER32 ref: 00669B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00669B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00669B4A
GetCursorPos.USER32(?), ref: 00669B68
ScreenToClient.USER32(?,?), ref: 00669B75
GetParent.USER32(?), ref: 00669B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00669BFA
SendMessageW.USER32 ref: 00669C2B
ClientToScreen.USER32(?,?), ref: 00669C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00669CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00669CDE
SendMessageW.USER32 ref: 00669D01
ClientToScreen.USER32(?,?), ref: 00669D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00669D82

Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952

GetWindowLongW.USER32(?,000000F0), ref: 00669E05

Strings

F, xrefs: 00669D07
@GUI_DRAGID, xrefs: 0066997D
p#j, xrefs: 00669990

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#j
API String ID: 3429851547-1181617611
Opcode ID: 19e942869c6cb140afbd5c03c2b694ffe63c86858c4295d3ae0502359f5c12b1
Instruction ID: 76b4e8e7a6f002470a5f916bf52aef33fcda7fc855f57752bac42c813ef11c91
Opcode Fuzzy Hash: 19e942869c6cb140afbd5c03c2b694ffe63c86858c4295d3ae0502359f5c12b1
Instruction Fuzzy Hash: 9D426E34204741AFEB24DF28CC44AAABBEAFF4A320F140619F995C73A1D771A855CF61

Function 00664873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00664908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00664927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0066494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0066495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0066497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00664A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00664A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00664A7E
IsMenu.USER32(?), ref: 00664A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00664AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00664B20
GetWindowLongW.USER32(?,000000F0), ref: 00664B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00664BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00664C82
wsprintfW.USER32 ref: 00664CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00664CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00664CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00664D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00664D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00664D5A

Strings

%d/%02d/%02d, xrefs: 00664CA8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: dc815e5df4e2dca1e17419ae8c1c950e3025243f34d3c2ebeb2128c6e7cb06bb
Instruction ID: 8ffb4ab2b65f4e1d8fdb338d676f01b2d88b69a95695aa6d28ca2dff27c112f0
Opcode Fuzzy Hash: dc815e5df4e2dca1e17419ae8c1c950e3025243f34d3c2ebeb2128c6e7cb06bb
Instruction Fuzzy Hash: 3B12FD71600245ABEB249F28DC49FBE7BBAEF85710F104129F516EB2E1DBB4A941CB50

Function 005EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 005EF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0062F474
IsIconic.USER32(00000000), ref: 0062F47D
ShowWindow.USER32(00000000,00000009), ref: 0062F48A
SetForegroundWindow.USER32(00000000), ref: 0062F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0062F4AA
GetCurrentThreadId.KERNEL32 ref: 0062F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0062F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0062F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0062F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0062F4DE
SetForegroundWindow.USER32(00000000), ref: 0062F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F4F6
keybd_event.USER32(00000012,00000000), ref: 0062F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F50B
keybd_event.USER32(00000012,00000000), ref: 0062F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F519
keybd_event.USER32(00000012,00000000), ref: 0062F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F528
keybd_event.USER32(00000012,00000000), ref: 0062F52D
SetForegroundWindow.USER32(00000000), ref: 0062F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0062F557

Strings

Shell_TrayWnd, xrefs: 0062F46F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ba88ca4ca7f9d305f1c150a532290d59cb5263e47d953f2f708c0541d4e5e12c
Instruction ID: 48cb7cb53aa22b34cf43321034f127526fa64e73b3a7d9c0c6dfbcabb208da45
Opcode Fuzzy Hash: ba88ca4ca7f9d305f1c150a532290d59cb5263e47d953f2f708c0541d4e5e12c
Instruction Fuzzy Hash: 14316371A40668BBEB206BB59C4AFBF7E7EEB44B60F101026F641F61D1C6F15D10AE60

Function 00631201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
Part of subcall function 006316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
Part of subcall function 006316C3: GetLastError.KERNEL32 ref: 0063174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00631286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006312A8
CloseHandle.KERNEL32(?), ref: 006312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006312D1
GetProcessWindowStation.USER32 ref: 006312EA
SetProcessWindowStation.USER32(00000000), ref: 006312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00631310

Part of subcall function 006310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006311FC), ref: 006310D4
Part of subcall function 006310BF: CloseHandle.KERNEL32(?,?,006311FC), ref: 006310E9

Strings

winsta0, xrefs: 006312CC
, xrefs: 0063125A
default, xrefs: 0063130B
Zi, xrefs: 00631392

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zi
API String ID: 22674027-3349466720
Opcode ID: 583690b776326b4e3acca39cad68a55bef50271565e3d40e64ad6ebf45e0ea59
Instruction ID: d37f1721c7a2863d25b9a3e7a4811d239b7ef1a575189f81662c8c0d09ca70ac
Opcode Fuzzy Hash: 583690b776326b4e3acca39cad68a55bef50271565e3d40e64ad6ebf45e0ea59
Instruction Fuzzy Hash: E8819A71900309AFDF219FA4DC49BFE7BBAEF05700F144129F911AA2A1CB758A44CBA4

Function 00630B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
Part of subcall function 006310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
Part of subcall function 006310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
Part of subcall function 006310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00630BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00630C00
GetLengthSid.ADVAPI32(?), ref: 00630C17
GetAce.ADVAPI32(?,00000000,?), ref: 00630C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00630C6D
GetLengthSid.ADVAPI32(?), ref: 00630C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00630C8C
HeapAlloc.KERNEL32(00000000), ref: 00630C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00630CB4
CopySid.ADVAPI32(00000000), ref: 00630CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00630CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00630D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00630D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D45
HeapFree.KERNEL32(00000000), ref: 00630D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D55
HeapFree.KERNEL32(00000000), ref: 00630D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D65
HeapFree.KERNEL32(00000000), ref: 00630D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00630D78
HeapFree.KERNEL32(00000000), ref: 00630D7F

Part of subcall function 00631193: GetProcessHeap.KERNEL32(00000008,00630BB1,?,00000000,?,00630BB1,?), ref: 006311A1
Part of subcall function 00631193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00630BB1,?), ref: 006311A8
Part of subcall function 00631193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00630BB1,?), ref: 006311B7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 12c83720e8e00fc83924e3d8111d8d25efcc1bd2163ddcbc84686daa92d2e278
Instruction ID: 3fe3ebe5700566fdbae06e2c2512b7f630f3432c1e2f1fa1433c65f8864b001d
Opcode Fuzzy Hash: 12c83720e8e00fc83924e3d8111d8d25efcc1bd2163ddcbc84686daa92d2e278
Instruction Fuzzy Hash: 9B715B7290020AABEF10DFA4DC44FEEBBBABF09310F144555E955A7291D7B1A909CBA0

Function 0064EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0066CC08), ref: 0064EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0064EB37
GetClipboardData.USER32(0000000D), ref: 0064EB43
CloseClipboard.USER32 ref: 0064EB4F
GlobalLock.KERNEL32(00000000), ref: 0064EB87
CloseClipboard.USER32 ref: 0064EB91
GlobalUnlock.KERNEL32(00000000), ref: 0064EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0064EBC9
GetClipboardData.USER32(00000001), ref: 0064EBD1
GlobalLock.KERNEL32(00000000), ref: 0064EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0064EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0064EC38
GetClipboardData.USER32(0000000F), ref: 0064EC44
GlobalLock.KERNEL32(00000000), ref: 0064EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0064EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0064EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0064ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0064ECF3
CountClipboardFormats.USER32 ref: 0064ED14
CloseClipboard.USER32 ref: 0064ED59

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 612d7e3d91fe67673ddf86a10d477c8e0087c8cd2d208a93f8a3228d8fe6d557
Instruction ID: 47bee5303fc66d92afb3edd68c3ed9271ee8b72b3d100fd33ca8d25e6e37c2d9
Opcode Fuzzy Hash: 612d7e3d91fe67673ddf86a10d477c8e0087c8cd2d208a93f8a3228d8fe6d557
Instruction Fuzzy Hash: 6561AD342042429FD310EF24D898F7A7BA6FF84714F14551AF896973A1DB72ED06CBA2

Function 0064698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006469BE
FindClose.KERNEL32(00000000), ref: 00646A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00646A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00646A75

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00646AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00646ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00646B32
%03d, xrefs: 00646DA2
%4d, xrefs: 00646BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00646B6A
%02d, xrefs: 00646C00, 00646C0A, 00646C5A, 00646CAA, 00646CFA, 00646D4A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b5cd32087490afa228f325bf244e04aa7b5d33f3a20e08cf15912bc177f3df6f
Instruction ID: 0c9f2d783f297dcfc4ed10a529389818868d0b9cad60c54918f3eba5ea83bfe6
Opcode Fuzzy Hash: b5cd32087490afa228f325bf244e04aa7b5d33f3a20e08cf15912bc177f3df6f
Instruction Fuzzy Hash: 9BD16F72508341AFC314EBA4C895EABBBECBFC8704F44491EF585C6291EB74DA44CB62

Function 00649642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00649663
GetFileAttributesW.KERNEL32(?), ref: 006496A1
SetFileAttributesW.KERNEL32(?,?), ref: 006496BB
FindNextFileW.KERNEL32(00000000,?), ref: 006496D3
FindClose.KERNEL32(00000000), ref: 006496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0064974A
SetCurrentDirectoryW.KERNEL32(00696B7C), ref: 00649768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00649772
FindClose.KERNEL32(00000000), ref: 0064977F
FindClose.KERNEL32(00000000), ref: 0064978F

Strings

*.*, xrefs: 006496F5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dc8211706c0f2e05ba1743838eaa4f09f44c177b6a9fa423632edcf6bbbaa5de
Instruction ID: dccbf2f0e899cc2ed822244c73b5075354a267c00b0f4b2cd265f9505616490e
Opcode Fuzzy Hash: dc8211706c0f2e05ba1743838eaa4f09f44c177b6a9fa423632edcf6bbbaa5de
Instruction Fuzzy Hash: 2D31D3326806196EDF14EFB4DC18AEF77AEAF49320F104156F955E2290EB74DE40CB64

Function 0064979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006497BE
FindNextFileW.KERNEL32(00000000,?), ref: 00649819
FindClose.KERNEL32(00000000), ref: 00649824
FindFirstFileW.KERNEL32(*.*,?), ref: 00649840
SetCurrentDirectoryW.KERNEL32(?), ref: 00649890
SetCurrentDirectoryW.KERNEL32(00696B7C), ref: 006498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006498B8
FindClose.KERNEL32(00000000), ref: 006498C5
FindClose.KERNEL32(00000000), ref: 006498D5

Part of subcall function 0063DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0063DB00

Strings

*.*, xrefs: 0064983B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 22c73ee327c5ee2ad7168a4e2eddc31f9571e0d65127d95204d4677e439c84fe
Instruction ID: b7be0c1296b64d8192ab9bbf70c157fafca593fcc87e30e5fcdbb9db4f77425d
Opcode Fuzzy Hash: 22c73ee327c5ee2ad7168a4e2eddc31f9571e0d65127d95204d4677e439c84fe
Instruction Fuzzy Hash: A831D4315806196EDF10EFB8EC48AEF77AEAF46330F104556F950A2290EB70DA45CB74

Function 0065BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0065BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0065BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0065C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0065C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0065C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0065C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0065C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0065C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0065C382
RegCloseKey.ADVAPI32(00000000), ref: 0065C38F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 27910c49cbd6fcfe280a23b7b1730b4ec943e8d6e75bca54052f42bdf28ec70d
Instruction ID: 845ab53df638dc33b2830f15c8da19e818ebe681e8e63f94589daf3e982720d4
Opcode Fuzzy Hash: 27910c49cbd6fcfe280a23b7b1730b4ec943e8d6e75bca54052f42bdf28ec70d
Instruction Fuzzy Hash: 1F024C716042019FC714DF28C895E6ABBE5BF89314F18849DF84ADB3A2D731ED46CB51

Function 00648195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00648257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00648267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00648273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00648310
SetCurrentDirectoryW.KERNEL32(?), ref: 00648324
SetCurrentDirectoryW.KERNEL32(?), ref: 00648356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0064838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00648395

Strings

*.*, xrefs: 0064839B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 38fddf497338e15e997010a79fc11a1026a8431e60239df5e1a46fee31714846
Instruction ID: f55c88f2284332787ba9a84c11da9900f8cda15ffcbbe8bc0255b65302287a36
Opcode Fuzzy Hash: 38fddf497338e15e997010a79fc11a1026a8431e60239df5e1a46fee31714846
Instruction Fuzzy Hash: A56158725043069FCB10EF64C8449AFB7EAFF89310F04891EF98997251EB31EA45CB92

Function 0063D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2

Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A

FindFirstFileW.KERNEL32(?,?), ref: 0063D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0063D1DD
MoveFileW.KERNEL32(?,?), ref: 0063D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0063D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0063D237

Part of subcall function 0063D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0063D21C,?,?), ref: 0063D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0063D253
FindClose.KERNEL32(00000000), ref: 0063D264

Strings

\*.*, xrefs: 0063D0CD, 0063D0D6, 0063D0EB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: fd4480822f20ee48340f429150ace7bda4feede734b275448957b30f30eb020f
Instruction ID: 2a561cbd6c815ab87db4251965b4054bc5672936f2c42b456f0e7220d24929b1
Opcode Fuzzy Hash: fd4480822f20ee48340f429150ace7bda4feede734b275448957b30f30eb020f
Instruction Fuzzy Hash: 2861803190110E9BCF15EBE4E9569EEBB7ABF95300F244066E40173291EB315F09DBA1

Function 0064ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0064ED91
EmptyClipboard.USER32 ref: 0064ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0064EDAC
CloseClipboard.USER32 ref: 0064EEA3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: efd56f7fb2e3db2d71a19d7dd3897c34e225da99b52342f82d85e42cb7284985
Instruction ID: 07f29886a190ce82b9a029f3f036c314497761e1415cc60c82052bd774da4844
Opcode Fuzzy Hash: efd56f7fb2e3db2d71a19d7dd3897c34e225da99b52342f82d85e42cb7284985
Instruction Fuzzy Hash: D741CE35604652AFD720DF15D888B69BBE6FF44328F14C09AE455CB762C776EC42CB90

Function 0063E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
Part of subcall function 006316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
Part of subcall function 006316C3: GetLastError.KERNEL32 ref: 0063174A

ExitWindowsEx.USER32(?,00000000), ref: 0063E932

Strings

, xrefs: 0063E95C
SeShutdownPrivilege, xrefs: 0063E902
@, xrefs: 0063E925
, xrefs: 0063E920

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b907bfe8b454cf97a7faed6e6471bfa248dfa3b607d7e358968d7257253ae526
Instruction ID: d75076d318b3fbd88b8c801e9b9378b735074f14f44e07e014bb5a1d0aeb4ed0
Opcode Fuzzy Hash: b907bfe8b454cf97a7faed6e6471bfa248dfa3b607d7e358968d7257253ae526
Instruction Fuzzy Hash: 8E01F972610211AFEB5426B49C86FFF725E9714761F154426FD03F21D1D6A25C4083F4

Function 00651204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00651276
WSAGetLastError.WSOCK32 ref: 00651283
bind.WSOCK32(00000000,?,00000010), ref: 006512BA
WSAGetLastError.WSOCK32 ref: 006512C5
closesocket.WSOCK32(00000000), ref: 006512F4
listen.WSOCK32(00000000,00000005), ref: 00651303
WSAGetLastError.WSOCK32 ref: 0065130D
closesocket.WSOCK32(00000000), ref: 0065133C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: adafe00be47bbda7f7ae499d4a52ecd00af805c64226e467f119ca4523aa52d5
Instruction ID: 2717898f450db9a16b96adfb5d17e82d766ec30a55c5a71f31c4554790dd634b
Opcode Fuzzy Hash: adafe00be47bbda7f7ae499d4a52ecd00af805c64226e467f119ca4523aa52d5
Instruction Fuzzy Hash: 5241A2316001019FD720DF28C498B69BBE6BF86329F18818DD8568F392C771ED86CBE1

Function 0063D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2

Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A

FindFirstFileW.KERNEL32(?,?), ref: 0063D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0063D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0063D481
FindClose.KERNEL32(00000000), ref: 0063D498
FindClose.KERNEL32(00000000), ref: 0063D4A1

Strings

\*.*, xrefs: 0063D3F2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c73b8c63e0565f722b0e565d6246be28835cb24dad4ab3d1542e4142f3275b47
Instruction ID: 327a77b33d7112b9130b8b8b40944b96136f81b1d59305ead39fb2201c10f6c4
Opcode Fuzzy Hash: c73b8c63e0565f722b0e565d6246be28835cb24dad4ab3d1542e4142f3275b47
Instruction Fuzzy Hash: B93152710083459BC315EF64D8558AF7BE9BED1314F44491FF4D193291EB30AA09D7A3

Function 0060E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0060E645

Strings

1#SNAN, xrefs: 0060F844
1#IND, xrefs: 0060F83D
1#INF, xrefs: 0060F852
1#QNAN, xrefs: 0060F84B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 184f87ea2842a0f540750ba96c2fbdf345601e3b7664349357f94cc3f71cca41
Instruction ID: dd4d93f26be35c409a7a956e2b8f994f18382fd835de9266b633c583fdfce65d
Opcode Fuzzy Hash: 184f87ea2842a0f540750ba96c2fbdf345601e3b7664349357f94cc3f71cca41
Instruction Fuzzy Hash: 66C23A71E446298FDB39CF289D407EAB7B6EB44304F1445EAD44EE7281E779AE818F40

Function 0064648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006464DC
CoInitialize.OLE32(00000000), ref: 00646639
CoCreateInstance.OLE32(0066FCF8,00000000,00000001,0066FB68,?), ref: 00646650
CoUninitialize.OLE32 ref: 006468D4

Strings

.lnk, xrefs: 006464BA, 00646524, 006465E0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: efd5d40ba9611728f23bf19a9b6ca0d603bad0d1ac524f0f0329f501040c130a
Instruction ID: c9f8540c17f03ac503a36d68ee2d46cb817ba09ba7b46cc8f2a8c32a85409b77
Opcode Fuzzy Hash: efd5d40ba9611728f23bf19a9b6ca0d603bad0d1ac524f0f0329f501040c130a
Instruction Fuzzy Hash: 62D13A715082029FC314DF28C8859ABBBE9FFD9704F40496EF5958B2A1EB71ED05CB92

Function 006522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006522E8

Part of subcall function 0064E4EC: GetWindowRect.USER32(?,?), ref: 0064E504

GetDesktopWindow.USER32 ref: 00652312
GetWindowRect.USER32(00000000), ref: 00652319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00652355
GetCursorPos.USER32(?), ref: 00652381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006523DF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3da2a8c3d5cce6481f92b5ba6b232c1c3c26cf3e9be5ef0eea858efe30a0c4f4
Instruction ID: a702c37791fdc16a9fd16d9ff2c0f27bfb36fbc001b04158e9d1df689c2a77f5
Opcode Fuzzy Hash: 3da2a8c3d5cce6481f92b5ba6b232c1c3c26cf3e9be5ef0eea858efe30a0c4f4
Instruction Fuzzy Hash: 4831CF72504716ABC720DF54CC45BABBBAAFF85314F00091DF98597291DB75EA08CB92

Function 00649B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00649B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00649C8B

Part of subcall function 00643874: GetInputState.USER32 ref: 006438CB
Part of subcall function 00643874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00643966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00649BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00649C75

Strings

*.*, xrefs: 00649B5D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: da230f8ff5f2d504ab973647a6f4812f1f25cce61384a3ffdc32bd27a2cd0acd
Instruction ID: ea2b32c24ad05f8f08545efe4f9f5af9f8b896d11e157c1db5fe49d5410c4ce4
Opcode Fuzzy Hash: da230f8ff5f2d504ab973647a6f4812f1f25cce61384a3ffdc32bd27a2cd0acd
Instruction Fuzzy Hash: C641817198060A9FCF14DF64C989AEFBBBAFF45310F244156F805A2291EB309E44CF61

Function 005E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 005E9A4E
GetSysColor.USER32(0000000F), ref: 005E9B23
SetBkColor.GDI32(?,00000000), ref: 005E9B36

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fed453fd958ca4e90b44c1a4bdff3972076b7aaf30e9a57d3be5852134e9b186
Instruction ID: f64f9067f9a3e9f0ce982d03fccfa0910c421cb24ecab851fb2dc03c97c8087a
Opcode Fuzzy Hash: fed453fd958ca4e90b44c1a4bdff3972076b7aaf30e9a57d3be5852134e9b186
Instruction Fuzzy Hash: F8A12BB01089A4BEE72CAA3E9C58DBB2E5FFF83344F140519F482DA691CA259D01D676

Function 00651806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0065304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0065307A
Part of subcall function 0065304E: _wcslen.LIBCMT ref: 0065309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0065185D
WSAGetLastError.WSOCK32 ref: 00651884
bind.WSOCK32(00000000,?,00000010), ref: 006518DB
WSAGetLastError.WSOCK32 ref: 006518E6
closesocket.WSOCK32(00000000), ref: 00651915

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b949e7ab7dac1f76446d7a530b82df59d8061833ef1082e7d50919c276c91992
Instruction ID: 21f34ace4f3a658d0e3a636ee958fdd72c4dbd7409415ad90513daf6d591e0fe
Opcode Fuzzy Hash: b949e7ab7dac1f76446d7a530b82df59d8061833ef1082e7d50919c276c91992
Instruction Fuzzy Hash: FF51C575A002119FDB20EF28C88AF6A7BE6AB85718F04845DF9459F3C3D771AD41CBA1

Function 00661C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00661CC0
IsWindowEnabled.USER32 ref: 00661CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00661CDB
IsIconic.USER32 ref: 00661CE9
IsZoomed.USER32 ref: 00661CF7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 71be9c14f04c42888e4ad14088656b102e015e9d71d292bdb07fd74a6397b5d2
Instruction ID: b6132443f79adac1692d9714746055467995ced7413c5f87e13fabc4fa95baf2
Opcode Fuzzy Hash: 71be9c14f04c42888e4ad14088656b102e015e9d71d292bdb07fd74a6397b5d2
Instruction Fuzzy Hash: E421D3317406015FD7208F1AC854BAA7BE6FF96324B1C8059E846CF351CBB5EC42CB94

Function 005D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005D83FA
ERCP, xrefs: 005D813C
VUUU, xrefs: 005D83E8
VUUU, xrefs: 00615DF0
VUUU, xrefs: 005D843C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1efed9ddb98e1abf2765d94ca5c327f1ca9616483012b52709e8c64693c01d31
Instruction ID: 3cc5ca700f83020143112caf83927ab2af2ec70c68af4c3dca0d1679d7edfe30
Opcode Fuzzy Hash: 1efed9ddb98e1abf2765d94ca5c327f1ca9616483012b52709e8c64693c01d31
Instruction Fuzzy Hash: 0AA22975A0061ACBDF34CF58C9407FDBBB2BB54314F2885AAE816A7385DB749D81CB90

Function 00638298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006382AA

Strings

|, xrefs: 006382DA
(, xrefs: 006382F0
tbi, xrefs: 006384F4

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbi$|
API String ID: 1659193697-2401483324
Opcode ID: f6d442c43de07168d2d7c992e731a3167663acbddd2e1e283bea22197651fc88
Instruction ID: e5778b384e7e027709ef94649779526286ca14f0b1163671bf64a7d50dd4ad00
Opcode Fuzzy Hash: f6d442c43de07168d2d7c992e731a3167663acbddd2e1e283bea22197651fc88
Instruction Fuzzy Hash: 4A323574A007059FDB28CF59C481AAAB7F1FF48710B15846EE49ADB3A1EB70E941CB80

Function 0063AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0063AAAC
SetKeyboardState.USER32(00000080), ref: 0063AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0063AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0063AB88

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f2c9d336b03205eee80c990fbfff03f7ee9930bafd57aa9a80233c3bbda2663b
Instruction ID: 6a88208de72fa8cf99593a60e0bfbae3fbe77cd3b97fb5c4e64eee4b62037a7b
Opcode Fuzzy Hash: f2c9d336b03205eee80c990fbfff03f7ee9930bafd57aa9a80233c3bbda2663b
Instruction Fuzzy Hash: BB31FA31A40648AFFB35CBA5CC05BFAB7A7AB44320F04421AF5C2962D1D3758981E7E6

Function 0060BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0060BB7F

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

GetTimeZoneInformation.KERNEL32 ref: 0060BB91
WideCharToMultiByte.KERNEL32(00000000,?,006A121C,000000FF,?,0000003F,?,?), ref: 0060BC09
WideCharToMultiByte.KERNEL32(00000000,?,006A1270,000000FF,?,0000003F,?,?,?,006A121C,000000FF,?,0000003F,?,?), ref: 0060BC36

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3bbcd9d6a9554ed9581ebfd2af9827523c594792df6e7735d013256df76ccb8a
Instruction ID: 2379a5e2f962a26752fe67b3d120c933e1e6ac3fc63526b9bc951ac2f0eed344
Opcode Fuzzy Hash: 3bbcd9d6a9554ed9581ebfd2af9827523c594792df6e7735d013256df76ccb8a
Instruction Fuzzy Hash: 6931C470944245DFCB18EF69CC4056ABBBAFF47350B14A65EE050DB2E1D731AE81CB50

Function 0064CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0064CE89
GetLastError.KERNEL32(?,00000000), ref: 0064CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0064CEFE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c0e622917976033226a016cfbd8f63eee7f28c52005742517f310c0562a6a0be
Instruction ID: cc50354eb3f34d0db98edb15956a35b4b52ad4b951387d12fe3c4c8ebace0e45
Opcode Fuzzy Hash: c0e622917976033226a016cfbd8f63eee7f28c52005742517f310c0562a6a0be
Instruction Fuzzy Hash: BE21BDB15017059BDB60DFA5C948BA67BFEEF40324F10442EE646E2351E774EE099B60

Function 00645C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00645CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00645D17
FindClose.KERNEL32(?), ref: 00645D5F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 41aad41e7d20df506189d2028901367aa1bb0bb931073e81923a4ae2b4566145
Instruction ID: f11d0ad88dceaf132bb082715283a932b5ff01b84e030436cd2ee4167578f193
Opcode Fuzzy Hash: 41aad41e7d20df506189d2028901367aa1bb0bb931073e81923a4ae2b4566145
Instruction Fuzzy Hash: E3518E74A04A029FC714DF28C498E96BBE5FF49314F14855EE99A8B3A2DB30ED05CF91

Function 00602622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0060271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00602724
UnhandledExceptionFilter.KERNEL32(?), ref: 00602731

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b2ef9f1306a3456d01160740bcdf5795580cef949363bffe58dbba6342937c69
Instruction ID: 9e5238334b0a16dbe3597e1698b8dd563a2980394f6a5dc24e94043c5d8aa574
Opcode Fuzzy Hash: b2ef9f1306a3456d01160740bcdf5795580cef949363bffe58dbba6342937c69
Instruction Fuzzy Hash: 1531C27495121DABCB21DF68DC887DDBBB8BF08310F5051EAE90CA62A1E7749F818F44

Function 006451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00645238
SetErrorMode.KERNEL32(00000000), ref: 006452A1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6d775be69e06ed781dfdcf92faa94e5d844293df8083700a12a47bcbdd17dc99
Instruction ID: d40e685cc594e1f2f442e1212d840758fcbccd88e674258a9debc3abf8d0eff7
Opcode Fuzzy Hash: 6d775be69e06ed781dfdcf92faa94e5d844293df8083700a12a47bcbdd17dc99
Instruction Fuzzy Hash: 58318E35A00509DFDB00DF94D888EEEBBB5FF49314F04809AE805AB362DB71E946CB90

Function 006316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005F0668
Part of subcall function 005EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005F0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
GetLastError.KERNEL32 ref: 0063174A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b020a52b87c56da459b0c20a61675d06b7ccc559fe25ec7cd6e0fbcea8eb3d5b
Instruction ID: e8813f01b020372cc7269d62edc1fb9b1b25b71b0f9ec4ad409da34c8ec9a288
Opcode Fuzzy Hash: b020a52b87c56da459b0c20a61675d06b7ccc559fe25ec7cd6e0fbcea8eb3d5b
Instruction Fuzzy Hash: 401101B2400305AFD718AF54DC86D6ABBBEFB44724B20852EE09657241EB71BC428B60

Function 0063D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0063D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0063D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0063D650

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: ec594526c1ebd9c2cd55cff72b22cba9afb376c3494828a6ede60a64e923e118
Instruction ID: bfb1058dfbcc41cf67b33e3dc45aef709c82aca9984a76b4cb178ffef800f105
Opcode Fuzzy Hash: ec594526c1ebd9c2cd55cff72b22cba9afb376c3494828a6ede60a64e923e118
Instruction Fuzzy Hash: F9118E71E01228BFDB108F95EC45FAFBBBDEB45B60F108111F914E7290C2B04A058BE1

Function 00631663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0063168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006316A1
FreeSid.ADVAPI32(?), ref: 006316B1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 775d9fee2cba085700ca3170a6ae20b78c9fe8a7ec6893055ee83948f864496c
Instruction ID: f78794315706a720195d8221aa50a546c4eb8552dc1969ea664b4f75e8e55ae7
Opcode Fuzzy Hash: 775d9fee2cba085700ca3170a6ae20b78c9fe8a7ec6893055ee83948f864496c
Instruction Fuzzy Hash: 9EF04471950308FBDB00DFE08D89AAEBBBDEB08210F404461E500E2180E371AA448A50

Function 0062D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0062D28C

Strings

X64, xrefs: 0062D2A8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2511d5900937850c63cdeafb1195f71bb790dde58d1fde1483e8f6685ab8bcb3
Instruction ID: 31980044207c3fe015b4d41216db1af7986c6df3fb8431253b0685f4b33daa0a
Opcode Fuzzy Hash: 2511d5900937850c63cdeafb1195f71bb790dde58d1fde1483e8f6685ab8bcb3
Instruction Fuzzy Hash: F1D0C9B480112DEACB94CB90EC88DD9B77CBB04305F100551F546A2000D77096499F20

Function 005FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c780b381e4f31203c5ebb0e0dc1bb99ec0f4d83a9c73f71577bbc796b9a212e4
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E3021B71E0021D9BDF14CFA9C9806ADFFB5FF88314F258169DA19EB280D735AE418B94

Function 005DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#j, xrefs: 005DCF7F
Variable is not of type 'Object'., xrefs: 00620C40

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#j
API String ID: 0-4239671147
Opcode ID: 0fc63aac09e930bc6a50942e6314c5193e2c8148593708ae9bb9be3da0b20bf1
Instruction ID: 8564d49e6ce35bef352b969c54ba14f26b972aae543ea12bb40dce182962e192
Opcode Fuzzy Hash: 0fc63aac09e930bc6a50942e6314c5193e2c8148593708ae9bb9be3da0b20bf1
Instruction Fuzzy Hash: B932797090021ADBDF24DF98D885AEDBFBABF45304F20445BE806AB392D771AE45CB50

Function 006468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00646918
FindClose.KERNEL32(00000000), ref: 00646961

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 962ef87779eb21485bb727c5b02218adc2e2facf0059de73386044f4fc3ff197
Instruction ID: 61dac7ddda4e1b999abf05914a0262b58cd8a9d077de0551fa500947fd4706a4
Opcode Fuzzy Hash: 962ef87779eb21485bb727c5b02218adc2e2facf0059de73386044f4fc3ff197
Instruction Fuzzy Hash: D11181316046029FC710DF29D488A16BBE5FF85328F14C69AF8698F3A2C770EC05CB91

Function 006437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00654891,?,?,00000035,?), ref: 006437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00654891,?,?,00000035,?), ref: 006437F4

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4362b6721db69c32c746b2bfb07d2af289ba5d096d968c371565a3b8def3d886
Instruction ID: d60953d4577c22f9c23ac8190291c393fcf23648551086621f99351f8795615a
Opcode Fuzzy Hash: 4362b6721db69c32c746b2bfb07d2af289ba5d096d968c371565a3b8def3d886
Instruction Fuzzy Hash: 79F0E5B06053292AE76017668C4DFEB3BAFEFC5771F000176F509E2391D9A09D44C6B0

Function 0063B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0063B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0063B270

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 39af49eae1e40752fb47a75840a69db69b776a6776822b989091de32038b9f8c
Instruction ID: c282564cb5c41baf159757b129a7e2d5d717636d1442ac5b192574ace8a5074d
Opcode Fuzzy Hash: 39af49eae1e40752fb47a75840a69db69b776a6776822b989091de32038b9f8c
Instruction Fuzzy Hash: 3FF01D7180428DAFDB059FA1C806BFE7FB5FF04319F00900AF965A5192C7B986119F94

Function 006310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006311FC), ref: 006310D4
CloseHandle.KERNEL32(?,?,006311FC), ref: 006310E9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dae807fbd95f80dfd7d6cf1558f625d67c4f00e790b19b84a2d7bba40c90a529
Instruction ID: 571ba2900bff373453afb540ff48bd0447739c9b1543fccaad606cd75cc46cd0
Opcode Fuzzy Hash: dae807fbd95f80dfd7d6cf1558f625d67c4f00e790b19b84a2d7bba40c90a529
Instruction Fuzzy Hash: 84E0BF72018B51AEE7292B52FC09E777BAAFB04320F14882DF5E5945B1DFA26C90DB50

Function 0060676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00606766,?,?,00000008,?,?,0060FEFE,00000000), ref: 00606998

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 85279312e81c48399f84a229b35ed85cad447e4bd14eb2dfca38af1283d1626e
Instruction ID: 7a5262b508783b022761ab5ef6bd7159f3cb7c6d29f575e92bab4032a7315dde
Opcode Fuzzy Hash: 85279312e81c48399f84a229b35ed85cad447e4bd14eb2dfca38af1283d1626e
Instruction Fuzzy Hash: 11B129316506099FD719CF28C486BA67BE1FF45364F258658F89ACF2E2C335D9A2CB40

Function 005EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0062851F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 67749d56aecad032e4f476fc0d7d0d1149f9698a8c01490ad2a8489bf4d8d4b5
Instruction ID: a85382a1917704715c1082ec2614b31fe95973b89fd2606cf8a5472f4a76a7af
Opcode Fuzzy Hash: 67749d56aecad032e4f476fc0d7d0d1149f9698a8c01490ad2a8489bf4d8d4b5
Instruction Fuzzy Hash: 4F125E719006299FDB24CF59D8816EEBBF6FF48710F14819AE849EB255DB309A81CF90

Function 0064EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0064EABD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fbcc636023143a873db82b1ab47e5c08efc9342caa59f2ab84ad9c20eb1aaf65
Instruction ID: acccbee8eca8d3535111428c6fa9d1781d46c10b9646adabb973bb468408a778
Opcode Fuzzy Hash: fbcc636023143a873db82b1ab47e5c08efc9342caa59f2ab84ad9c20eb1aaf65
Instruction Fuzzy Hash: D9E01A312002069FD710EF59D808E9ABBEABF98760F008417FD49C7361DAB1A8818B90

Function 005F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005F03EE), ref: 005F09DA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d6955ec0680f0fd3677ce5c07954ea7b5d67f7f9adb862c973ec09b65056ab42
Instruction ID: 1fab38850890e1b825f29d37527bda69b4ebf1d16e3d390e49ee3c15f5c493e9
Opcode Fuzzy Hash: d6955ec0680f0fd3677ce5c07954ea7b5d67f7f9adb862c973ec09b65056ab42
Instruction Fuzzy Hash:

Function 005F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 005F798B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 54f7bf1038b08fdd843f2552fbf850acbbce60e2de636bffcc7580b29332c827
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9351697160C60E5BDB3849688A5D7BE2FD5BB5E380F180D09DB82D7282C65DDE02D356

Function 00642046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&j, xrefs: 00642053

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: 0&j
API String ID: 0-3046324192
Opcode ID: 51d58fb6f4e0881ade1294c11760271812e772bfbf3461a3264e8f16e73e23f0
Instruction ID: b6105c1a70f90f2cffb5c1e1111e5df04daa01b0726f8209555f404634cd9852
Opcode Fuzzy Hash: 51d58fb6f4e0881ade1294c11760271812e772bfbf3461a3264e8f16e73e23f0
Instruction Fuzzy Hash: 8E21EB322615128BD728CF79C82367E73E6B755310F24862EE4A7C37D0DE35A904CB40

Function 00606DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8610d82c99d2137bfbb0356a1a031c5647af10c8006e8e9e4938d6939a1e00
Instruction ID: 8cc027099975a87351a6d1be30d45ca88d76d9f005288b39042983cdb9aacea9
Opcode Fuzzy Hash: 6d8610d82c99d2137bfbb0356a1a031c5647af10c8006e8e9e4938d6939a1e00
Instruction Fuzzy Hash: EB321421D69F014DD72B9634DC32336A28AAFB73C5F15D737E81AB5AA5EB29D4C34100

Function 005ECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a2e80cfbce78458ca15bfd8e9ea36858db00cfbb02041947117ec32c154eec
Instruction ID: e0aa97e4acc5c7f6c9a99b586ea47b7e22e3c49dd4dcc9de57509e4a432cd610
Opcode Fuzzy Hash: 72a2e80cfbce78458ca15bfd8e9ea36858db00cfbb02041947117ec32c154eec
Instruction Fuzzy Hash: E832E531A009A58ACF28CB29E494ABD7FA3FF45320F288566E49D97791D234DD82DF41

Function 005D7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63d02504e3515653010ece8d8320ca005b259269ae318ab30d9bbbdc23a5f67
Instruction ID: 710a80eafa37ee04f2547c7ccffefc40310b0c3a8b874507ab416b1737713ab9
Opcode Fuzzy Hash: e63d02504e3515653010ece8d8320ca005b259269ae318ab30d9bbbdc23a5f67
Instruction Fuzzy Hash: 3C228070A0060ADFDF14CF68D845AEEFBB6FF88300F14452AE816A7391EB35A951CB50

Function 005D91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4297974e670c0e229fc05a2271356ded1786aceb4edafac38779cdb58c3cde42
Instruction ID: 9747e1c9d7bda27390bb6300f40dbb9ca481fd92583b308e034a2245c87a1469
Opcode Fuzzy Hash: 4297974e670c0e229fc05a2271356ded1786aceb4edafac38779cdb58c3cde42
Instruction Fuzzy Hash: 2702D8B0E00206EBDB14DF54D945AEDBBB6FF44300F148566E8169B391EB31EE51CB91

Function 00609EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1f9f94563a669b9dc7288105aacd4bc911d53a35380fff5fbc330be0afc0c8
Instruction ID: fcbac246e96ba8fbb41f4eb949590502a172e341e709887e40740642762d036b
Opcode Fuzzy Hash: 4e1f9f94563a669b9dc7288105aacd4bc911d53a35380fff5fbc330be0afc0c8
Instruction Fuzzy Hash: 4DB1F220D2AF914DC72796398831336B64DAFBB2D5F91E31BFC1A74E62EB2285C35141

Function 005F1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 21cf7690d62cad0de4207c3919d9bab61739a63f4dc0e641bc9c9b3172308d8d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 179188721084A78ADB29463E857403EFFF17A923A131A079DD5F2CB1C5FE18C958D724

Function 005F1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: d00d0c8692db4da21bca3521db705603744f40b34ed00ce9211f6650576157ec
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EC91BAB32094A74DDB2D423A857843EFFE16A923A170A079DD5F2CB1C5EE2CC554E624

Function 005F19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: dca3b08cabe3b01ab3f0cfa2c437268f3f928d391c4447abea178361777c3da2
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1A9175722098E7CADB2D427A857403EFFE16A923A231A079ED5F2CB1C1FD18C554D764

Function 005F7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369e6e5906e5ce1d2e51b97e7247195e2406800f48341ec2fa4970a52317a1a2
Instruction ID: 2450e25cd9aa24393c400a21348b6295668fd7f63677cb281ddac81174053747
Opcode Fuzzy Hash: 369e6e5906e5ce1d2e51b97e7247195e2406800f48341ec2fa4970a52317a1a2
Instruction Fuzzy Hash: C3616B31208B0E96EE34592C8D99BBE2F95FF8E700F140D1AEB82DB281E55D9E42C315

Function 005F7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6d16b5512afdf1227c5e5e0da2d4d25a47887b4495edafc02965569850ecba
Instruction ID: f1be9f43ca97d9d28ac9e8a403bd0134ae9b3be98e0ace0754d23d6ff3343be4
Opcode Fuzzy Hash: 9f6d16b5512afdf1227c5e5e0da2d4d25a47887b4495edafc02965569850ecba
Instruction Fuzzy Hash: 1261793160870E56DE385A385859BBF2F8DFF8E704F900D5AEB42CB281DA5E9D42C355

Function 005F1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d9b8ea5837d42aba4a7aa51f8825aa9371c9e360fff8024c84be7b4f98b3baba
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 458197326094E789DB2D423A863403EFFE17A923A131A079DD5F6CB1C1EE28D554E764

Function 00652ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00652B30
DeleteObject.GDI32(00000000), ref: 00652B43
DestroyWindow.USER32 ref: 00652B52
GetDesktopWindow.USER32 ref: 00652B6D
GetWindowRect.USER32(00000000), ref: 00652B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00652CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00652CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652CF8
GetClientRect.USER32(00000000,?), ref: 00652D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00652D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D80
GlobalLock.KERNEL32(00000000), ref: 00652D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D98
GlobalUnlock.KERNEL32(00000000), ref: 00652DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652DA8
GlobalFree.KERNEL32(00000000), ref: 00652DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0066FC38,00000000), ref: 00652DDB
GlobalFree.KERNEL32(00000000), ref: 00652DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00652E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00652E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0065303F

Strings

, xrefs: 00652FC5
DISPLAY, xrefs: 00652EA2
AutoIt v3, xrefs: 00652CF2
static, xrefs: 00652D3A, 00652E91

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ed0333a1fcfbf10a53bc5d550a2a22369bb2ef59f6ceca794d4489b56e2b3574
Instruction ID: 19246a39b63f456e29b1fe2bd67873f75fa6f8b646b74b189374d2f95170b24f
Opcode Fuzzy Hash: ed0333a1fcfbf10a53bc5d550a2a22369bb2ef59f6ceca794d4489b56e2b3574
Instruction Fuzzy Hash: 42029D71500206EFDB14DF64DC99EAE7BBAFB4A321F008159F915AB2A1D770AD01CF60

Function 006670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0066712F
GetSysColorBrush.USER32(0000000F), ref: 00667160
GetSysColor.USER32(0000000F), ref: 0066716C
SetBkColor.GDI32(?,000000FF), ref: 00667186
SelectObject.GDI32(?,?), ref: 00667195
InflateRect.USER32(?,000000FF,000000FF), ref: 006671C0
GetSysColor.USER32(00000010), ref: 006671C8
CreateSolidBrush.GDI32(00000000), ref: 006671CF
FrameRect.USER32(?,?,00000000), ref: 006671DE
DeleteObject.GDI32(00000000), ref: 006671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00667230
FillRect.USER32(?,?,?), ref: 00667262
GetWindowLongW.USER32(?,000000F0), ref: 00667284

Part of subcall function 006673E8: GetSysColor.USER32(00000012), ref: 00667421
Part of subcall function 006673E8: SetTextColor.GDI32(?,?), ref: 00667425
Part of subcall function 006673E8: GetSysColorBrush.USER32(0000000F), ref: 0066743B
Part of subcall function 006673E8: GetSysColor.USER32(0000000F), ref: 00667446
Part of subcall function 006673E8: GetSysColor.USER32(00000011), ref: 00667463
Part of subcall function 006673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00667471
Part of subcall function 006673E8: SelectObject.GDI32(?,00000000), ref: 00667482
Part of subcall function 006673E8: SetBkColor.GDI32(?,00000000), ref: 0066748B
Part of subcall function 006673E8: SelectObject.GDI32(?,?), ref: 00667498
Part of subcall function 006673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006674B7
Part of subcall function 006673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006674CE
Part of subcall function 006673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006674DB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1203b776a663bb3f670ed5c486390610fdc3bb5752598cea0fe963a54abe260e
Instruction ID: 3b2ac42d4971d48e2db5825102fb9c4a453a7ec0da7b5afd21e708cb483d2c6c
Opcode Fuzzy Hash: 1203b776a663bb3f670ed5c486390610fdc3bb5752598cea0fe963a54abe260e
Instruction Fuzzy Hash: 75A1C272008701BFDB009F64DC58E6BBBAAFF89334F101A19F9A2961E1D7B5E944CB51

Function 005E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 005E8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00626AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00626AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00626F43

Part of subcall function 005E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E8BE8,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8FC5

SendMessageW.USER32(?,00001053), ref: 00626F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00626F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00626FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00626FB7

Strings

0, xrefs: 00626DCF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c12ef4ab52265684414a8a38ffbff377acb671159a06eaae6812f7cedb094ac5
Instruction ID: 7932e1ab1a774580d86df8f2ea4f34b08042ad884f7bbc9882ddba64e742d70d
Opcode Fuzzy Hash: c12ef4ab52265684414a8a38ffbff377acb671159a06eaae6812f7cedb094ac5
Instruction Fuzzy Hash: 3A12AC30204A61DFDB25DF24E944BBABBA6FF45310F144469F4898B261CB71AC52DF91

Function 00652711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0065273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0065286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00652900
GetClientRect.USER32(00000000,?), ref: 0065290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00652955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00652964
GetStockObject.GDI32(00000011), ref: 00652974
SelectObject.GDI32(00000000,00000000), ref: 00652978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00652988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00652991
DeleteDC.GDI32(00000000), ref: 0065299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00652A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00652A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00652A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00652A77
GetStockObject.GDI32(00000011), ref: 00652A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00652A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00652A97

Strings

msctls_progress32, xrefs: 00652A13
DISPLAY, xrefs: 0065295A
AutoIt v3, xrefs: 006528F8
static, xrefs: 0065294F, 00652A71

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 925ea1314ceed945477fe77754495672b7e963df0e3aba8523a282f1af4bc29c
Instruction ID: 7379603c2eaabdc55deafd130a12601a13382704d287d8e5a9878e1a40d055b6
Opcode Fuzzy Hash: 925ea1314ceed945477fe77754495672b7e963df0e3aba8523a282f1af4bc29c
Instruction Fuzzy Hash: F3B17E71A00616AFEB14DFA8DC49FAE7BAAFB49711F004116F914EB290D7B0ED40CB90

Function 00644ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00644AED
GetDriveTypeW.KERNEL32(?,0066CB68,?,\\.\,0066CC08), ref: 00644BCA
SetErrorMode.KERNEL32(00000000,0066CB68,?,\\.\,0066CC08), ref: 00644D36

Strings

iSCSI, xrefs: 00644CC2
\\.\, xrefs: 00644B3F
ATAPI, xrefs: 00644C91
PhysicalDrive, xrefs: 00644B76
RAMDisk, xrefs: 00644BF4
SATA, xrefs: 00644CD0
SCSI, xrefs: 00644C8A
ATA, xrefs: 00644C98
FileBackedVirtual, xrefs: 00644CEC
SSD, xrefs: 00644C4A
Network, xrefs: 00644C02
USB, xrefs: 00644CB4
Fibre, xrefs: 00644CAD
CDROM, xrefs: 00644BFB
Removable, xrefs: 00644C10, 00644C15
Fixed, xrefs: 00644C09
Unknown, xrefs: 00644BED, 00644C83
RAID, xrefs: 00644CBB
SSA, xrefs: 00644CA6
Virtual, xrefs: 00644CE5
MMC, xrefs: 00644CDE
SAS, xrefs: 00644CC9
1394, xrefs: 00644C9F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9ec39cfc9a99cd4d475ac4599a657aae2e9630e1f8c28ccb7c670b178c19a54e
Instruction ID: 6c3e9118fa9a264a6f828e99b58bbbd90491b5de524557a8603fd4d4636437e0
Opcode Fuzzy Hash: 9ec39cfc9a99cd4d475ac4599a657aae2e9630e1f8c28ccb7c670b178c19a54e
Instruction Fuzzy Hash: 266190306062069BCF14DF28CAC7AA9BBA7FF45345B284416F806ABB91DE31DD46DB41

Function 006673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00667421
SetTextColor.GDI32(?,?), ref: 00667425
GetSysColorBrush.USER32(0000000F), ref: 0066743B
GetSysColor.USER32(0000000F), ref: 00667446
CreateSolidBrush.GDI32(?), ref: 0066744B
GetSysColor.USER32(00000011), ref: 00667463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00667471
SelectObject.GDI32(?,00000000), ref: 00667482
SetBkColor.GDI32(?,00000000), ref: 0066748B
SelectObject.GDI32(?,?), ref: 00667498
InflateRect.USER32(?,000000FF,000000FF), ref: 006674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0066752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00667554
InflateRect.USER32(?,000000FD,000000FD), ref: 00667572
DrawFocusRect.USER32(?,?), ref: 0066757D
GetSysColor.USER32(00000011), ref: 0066758E
SetTextColor.GDI32(?,00000000), ref: 00667596
DrawTextW.USER32(?,006670F5,000000FF,?,00000000), ref: 006675A8
SelectObject.GDI32(?,?), ref: 006675BF
DeleteObject.GDI32(?), ref: 006675CA
SelectObject.GDI32(?,?), ref: 006675D0
DeleteObject.GDI32(?), ref: 006675D5
SetTextColor.GDI32(?,?), ref: 006675DB
SetBkColor.GDI32(?,?), ref: 006675E5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c7d8b8193c3cfd42645213c7f2c5d12f0796b63cfa73c849fca59f3e380db772
Instruction ID: c6606cfac0a2bd4ebf67ce7b29994c2d7103196c1b69cd778218df4a4da4974a
Opcode Fuzzy Hash: c7d8b8193c3cfd42645213c7f2c5d12f0796b63cfa73c849fca59f3e380db772
Instruction Fuzzy Hash: 06615E72900618AFDF019FA4DC49AEEBFBAEB09320F115115F915AB2A1DBB59940CB90

Function 00660FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00661128
GetDesktopWindow.USER32 ref: 0066113D
GetWindowRect.USER32(00000000), ref: 00661144
GetWindowLongW.USER32(?,000000F0), ref: 00661199
DestroyWindow.USER32(?), ref: 006611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0066121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00661232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00661245
IsWindowVisible.USER32(00000000), ref: 006612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006612D0
GetWindowRect.USER32(00000000,?), ref: 006612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0066130E
GetMonitorInfoW.USER32(00000000,?), ref: 00661328
CopyRect.USER32(?,?), ref: 0066133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006613AA

Strings

0, xrefs: 006610D3
(, xrefs: 0066131B
tooltips_class32, xrefs: 006611E6

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 21745402969360441dce20a8038600792233234a193859827132475466800bd3
Instruction ID: 16a0aaac5aeb526c7e51db8e0c3dd49e4c6d828f086ce32e7f2ce024a2178f70
Opcode Fuzzy Hash: 21745402969360441dce20a8038600792233234a193859827132475466800bd3
Instruction Fuzzy Hash: 31B1A071604341AFD710DF64C888BAAFBE6FF85310F04891EF9999B261DB71E844CB91

Function 005E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E8968
GetSystemMetrics.USER32(00000007), ref: 005E8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E899B
GetSystemMetrics.USER32(00000008), ref: 005E89A3
GetSystemMetrics.USER32(00000004), ref: 005E89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005E89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005E89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005E8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005E8A3C
GetClientRect.USER32(00000000,000000FF), ref: 005E8A5A
GetStockObject.GDI32(00000011), ref: 005E8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 005E8A81

Part of subcall function 005E912D: GetCursorPos.USER32(?), ref: 005E9141
Part of subcall function 005E912D: ScreenToClient.USER32(00000000,?), ref: 005E915E
Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000001), ref: 005E9183
Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000002), ref: 005E919D

SetTimer.USER32(00000000,00000000,00000028,005E90FC), ref: 005E8AA8

Strings

AutoIt v3 GUI, xrefs: 005E8A20

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: eea97e112fc3bf30c9c62cbbcd73d755c026751ce57ffb766cbd02d6ac6762fb
Instruction ID: a0793b8aaa6d82eb65497ce799cf457f141100d6d346368cd737d89bfe13c841
Opcode Fuzzy Hash: eea97e112fc3bf30c9c62cbbcd73d755c026751ce57ffb766cbd02d6ac6762fb
Instruction Fuzzy Hash: FBB17D75A0025A9FDB14DFA8DC45BBE3BB6FB49324F104229FA55EB290DB74A840CF50

Function 00630D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
Part of subcall function 006310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
Part of subcall function 006310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
Part of subcall function 006310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00630DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00630E29
GetLengthSid.ADVAPI32(?), ref: 00630E40
GetAce.ADVAPI32(?,00000000,?), ref: 00630E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00630E96
GetLengthSid.ADVAPI32(?), ref: 00630EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00630EB5
HeapAlloc.KERNEL32(00000000), ref: 00630EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00630EDD
CopySid.ADVAPI32(00000000), ref: 00630EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00630F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00630F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00630F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F6E
HeapFree.KERNEL32(00000000), ref: 00630F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F7E
HeapFree.KERNEL32(00000000), ref: 00630F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F8E
HeapFree.KERNEL32(00000000), ref: 00630F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00630FA1
HeapFree.KERNEL32(00000000), ref: 00630FA8

Part of subcall function 00631193: GetProcessHeap.KERNEL32(00000008,00630BB1,?,00000000,?,00630BB1,?), ref: 006311A1
Part of subcall function 00631193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00630BB1,?), ref: 006311A8
Part of subcall function 00631193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00630BB1,?), ref: 006311B7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e1aa93f94f3e05013bef3ff79905ea739781d6076ea9d6438a9d7414f32b6d1b
Instruction ID: e19e2f5a0d79730985f7d5213c26b11cc41a150813ca17d76c0d8595991e20bf
Opcode Fuzzy Hash: e1aa93f94f3e05013bef3ff79905ea739781d6076ea9d6438a9d7414f32b6d1b
Instruction Fuzzy Hash: B7715F7190020AEFEF209FA5DC44FEEBBBABF05710F148119F959E6291D7719909CBA0

Function 0065C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0066CC08,00000000,?,00000000,?,?), ref: 0065C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0065C5A4
_wcslen.LIBCMT ref: 0065C5F4
_wcslen.LIBCMT ref: 0065C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0065C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0065C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0065C84D
RegCloseKey.ADVAPI32(?), ref: 0065C881
RegCloseKey.ADVAPI32(00000000), ref: 0065C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0065C960

Strings

REG_BINARY, xrefs: 0065C913
REG_QWORD, xrefs: 0065C8C3
REG_SZ, xrefs: 0065C644
REG_EXPAND_SZ, xrefs: 0065C5CD
REG_DWORD, xrefs: 0065C804
REG_MULTI_SZ, xrefs: 0065C6F5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5aee9012678e2ac3c599c423544d22e02b531e11cc1e66009c2fb984acd84291
Instruction ID: 469e7ccfdb44d6cfd9f4c2b5985c83a020c999d44f47d9f7725c2f0f47b09f3d
Opcode Fuzzy Hash: 5aee9012678e2ac3c599c423544d22e02b531e11cc1e66009c2fb984acd84291
Instruction Fuzzy Hash: 15126E356043019FD714DF18C895A6ABBE6FF88725F04885EF8899B3A2DB31ED45CB81

Function 0066091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006609C6
_wcslen.LIBCMT ref: 00660A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00660A54
_wcslen.LIBCMT ref: 00660A8A
_wcslen.LIBCMT ref: 00660B06
_wcslen.LIBCMT ref: 00660B81

Part of subcall function 005EF9F2: _wcslen.LIBCMT ref: 005EF9FD

Part of subcall function 00632BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00632BFA

Strings

EXISTS, xrefs: 00660B7C, 00660B97
EXPAND, xrefs: 00660BF8
GETTOTALCOUNT, xrefs: 006609F2, 00660A17
GETTEXT, xrefs: 00660C97
CHECK, xrefs: 00660A85, 00660AA0
SELECT, xrefs: 00660D11
UNCHECK, xrefs: 00660D3E
GETITEMCOUNT, xrefs: 00660C1E
ISCHECKED, xrefs: 00660CE1
COLLAPSE, xrefs: 00660B01, 00660B1C
GETSELECTED, xrefs: 00660C4E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: de94c2e8d6b58839b2ad6876732bb34a5eb069232c0bb959219f79bb05443614
Instruction ID: 59ac7c5156c36f96a59c38b65b5dafb84b8b662b8e590bb837fbd47bd5ee8152
Opcode Fuzzy Hash: de94c2e8d6b58839b2ad6876732bb34a5eb069232c0bb959219f79bb05443614
Instruction Fuzzy Hash: 3BE18C352083029FCB14DF29C45096BBBE2BF98354F14896DF8969B362D731ED46CB81

Function 0065C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
_wcslen.LIBCMT ref: 0065C9F1
_wcslen.LIBCMT ref: 0065CA68
_wcslen.LIBCMT ref: 0065CA9E
_wcslen.LIBCMT ref: 0065CAF9
_wcslen.LIBCMT ref: 0065CB2F
_wcslen.LIBCMT ref: 0065CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0065CA62, 0065CA67
HKCR, xrefs: 0065CB29, 0065CB2E
HKCC, xrefs: 0065CBAC
HKEY_CURRENT_CONFIG, xrefs: 0065CB79, 0065CB7E
HKLM, xrefs: 0065CA98, 0065CA9D
HKEY_USERS, xrefs: 0065CBDF
HKU, xrefs: 0065CBF0
HKCU, xrefs: 0065CBCE
HKEY_CLASSES_ROOT, xrefs: 0065CAF3, 0065CAF8
HKEY_CURRENT_USER, xrefs: 0065CBBD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3e7a59185af29e6e9b853350fbfdf65edfe4ea927e555ffbc4425ac0514a8891
Instruction ID: 9affe1e7ace5a602a54e6fcb64bff2c9b483011fe2ea3ef52a9302dbd72f2bb3
Opcode Fuzzy Hash: 3e7a59185af29e6e9b853350fbfdf65edfe4ea927e555ffbc4425ac0514a8891
Instruction Fuzzy Hash: 3071D13261022A8FCF20DE6CCD515FA3B97ABA0775F150529FC669B384EA31CD49C3A0

Function 0066833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0066835A
_wcslen.LIBCMT ref: 0066836E
_wcslen.LIBCMT ref: 00668391
_wcslen.LIBCMT ref: 006683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0066361A,?), ref: 0066844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00668487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00668501
FreeLibrary.KERNEL32(?), ref: 0066850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066851D
DestroyIcon.USER32(?), ref: 0066852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00668549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00668555

Strings

.dll, xrefs: 006683AB
.exe, xrefs: 00668388
.icl, xrefs: 00668368

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 2068d1092b3c40837201d71fbd4950a2c96b651d92ab82c8017504ca6f57e6bf
Instruction ID: c2c12b2adcaa39e740bd29d62df9b324ce1ad29637a3f583584ce897fd3d8e16
Opcode Fuzzy Hash: 2068d1092b3c40837201d71fbd4950a2c96b651d92ab82c8017504ca6f57e6bf
Instruction Fuzzy Hash: 8E61D07150060ABEEB14DF74CC45BFE7BA9BB44720F10420AF916D62D0DBB49980CBA0

Function 005D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 005D78ED
#comments-start, xrefs: 005D785F, 005D78B1
#pragma compile, xrefs: 005D77D3
#notrayicon, xrefs: 005D77E7
#cs, xrefs: 005D7873, 005D78C5
#include, xrefs: 005D7847
#requireadmin, xrefs: 005D77FF
Cannot parse #include, xrefs: 00615279
#OnAutoItStartRegister, xrefs: 005D7817
', xrefs: 00615169
Unterminated group of comments, xrefs: 0061528C
#include-once, xrefs: 005D782F
#comments-end, xrefs: 005D78D9
", xrefs: 00615153
Bad directive syntax error, xrefs: 0061519A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c44c75bab379d8d0ab36ed82cd085b27e41bdfb8dbc3b1e34518ed3ef029ac8c
Instruction ID: e2ff2ca647179cd9d448e72b05f7e882aedc3363f01d34744dff93e36c7ae1c4
Opcode Fuzzy Hash: c44c75bab379d8d0ab36ed82cd085b27e41bdfb8dbc3b1e34518ed3ef029ac8c
Instruction Fuzzy Hash: 0381E67160060ABBDB21AF64DC46FFA7F69BF99300F044427F905AB292EB70D941C791

Function 00643E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00643EF8
_wcslen.LIBCMT ref: 00643F03
_wcslen.LIBCMT ref: 00643F5A
_wcslen.LIBCMT ref: 00643F98
GetDriveTypeW.KERNEL32(?), ref: 00643FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00644059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00644087

Strings

close, xrefs: 00643EFE, 00643F18
open , xrefs: 00643FE5
close cd wait, xrefs: 00644072
wait, xrefs: 00644044
open, xrefs: 00643F54, 00643F59
set cd door , xrefs: 00644028
type cdaudio alias cd wait, xrefs: 00644001
closed, xrefs: 00643F08, 00643F2D, 00643F46, 00643F7E, 00643F97

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 8e1a008528cfff0c654451d0641d1bc18b7cca1b06d9257e57894fa8d573fea5
Instruction ID: b0c417222cc0649f8bda1df7f46f8adbb9e2867659aca6211b9a9e94180b7daa
Opcode Fuzzy Hash: 8e1a008528cfff0c654451d0641d1bc18b7cca1b06d9257e57894fa8d573fea5
Instruction Fuzzy Hash: 7A71BF716043129FC720EF28C8819AABBE6FF94754F10492EF99597361EB30DD4ACB91

Function 00635A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00635A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00635A40
SetWindowTextW.USER32(?,?), ref: 00635A57
GetDlgItem.USER32(?,000003EA), ref: 00635A6C
SetWindowTextW.USER32(00000000,?), ref: 00635A72
GetDlgItem.USER32(?,000003E9), ref: 00635A82
SetWindowTextW.USER32(00000000,?), ref: 00635A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00635AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00635AC3
GetWindowRect.USER32(?,?), ref: 00635ACC
_wcslen.LIBCMT ref: 00635B33
SetWindowTextW.USER32(?,?), ref: 00635B6F
GetDesktopWindow.USER32 ref: 00635B75
GetWindowRect.USER32(00000000), ref: 00635B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00635BD3
GetClientRect.USER32(?,?), ref: 00635BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00635C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00635C2F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2ccd721349040fcafec020dd846d008ee3024c29d2e15045187e312aa652f89a
Instruction ID: f218066b1884f4ff4eff41508485d360acf17137cdb66762bf788816bfa65e49
Opcode Fuzzy Hash: 2ccd721349040fcafec020dd846d008ee3024c29d2e15045187e312aa652f89a
Instruction Fuzzy Hash: EE717F31900B05AFDB20DFA8CE55AAEBBF6FF48715F104518E583A36A0D775E940CB94

Function 0064FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0064FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0064FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0064FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0064FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0064FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0064FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0064FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0064FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0064FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0064FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0064FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0064FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0064FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0064FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0064FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0064FECC
GetCursorInfo.USER32(?), ref: 0064FEDC
GetLastError.KERNEL32 ref: 0064FF1E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0d5be03ba49badea69746006f1ff38e07a1d41272e8bdf5e3fe1cd4f69c36e36
Instruction ID: bb08ede0b5e7193afd843ea45ca909ec5e3dc4e26528646385483e82b8a0d427
Opcode Fuzzy Hash: 0d5be03ba49badea69746006f1ff38e07a1d41272e8bdf5e3fe1cd4f69c36e36
Instruction Fuzzy Hash: 004142B0D0431A6BDB50DFBA8C8986EBFE9FF04754B50452AF11DE7281DB78A901CE91

Function 006330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0063318D
_wcslen.LIBCMT ref: 006331F8

Strings

TEXT, xrefs: 0063347C
[i, xrefs: 0063339A
CLASS, xrefs: 00633188, 006331A5
REGEXPCLASS, xrefs: 00633255, 00633266
INSTANCE, xrefs: 00633453
NAME, xrefs: 00633335, 00633346
CLASSNN, xrefs: 006331F3, 00633204

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[i
API String ID: 176396367-3562049154
Opcode ID: 3f8881059236ff925fcaa4621ba5edcc3c278216fd333110cc24d943afd56aac
Instruction ID: c9575093d977e80bced1fda157aa66454e6f78c89b6647b20ea3bb116118c7cf
Opcode Fuzzy Hash: 3f8881059236ff925fcaa4621ba5edcc3c278216fd333110cc24d943afd56aac
Instruction Fuzzy Hash: 33E1D432A00536ABCF289FA8C8556FEBBB6BF44710F54811AE456E7341DB30AF8587D0

Function 005F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005F00C6

Part of subcall function 005F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(006A070C,00000FA0,2C98E96A,?,?,?,?,006123B3,000000FF), ref: 005F011C
Part of subcall function 005F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006123B3,000000FF), ref: 005F0127
Part of subcall function 005F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006123B3,000000FF), ref: 005F0138
Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005F014E
Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005F015C
Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005F016A
Part of subcall function 005F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005F0195
Part of subcall function 005F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005F01A0

___scrt_fastfail.LIBCMT ref: 005F00E7

Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 005F0122
kernel32.dll, xrefs: 005F0133
SleepConditionVariableCS, xrefs: 005F0154
InitializeConditionVariable, xrefs: 005F0148
WakeAllConditionVariable, xrefs: 005F0162

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e02e0dd9ffb298b7ea5d1fdbac19ecb3fe83234430cb354c74bd191a3ad4673b
Instruction ID: a01f5b3b1d453fe07a4c2251134a1ad61a0c9d8c5485c4496a9bba04818ad400
Opcode Fuzzy Hash: e02e0dd9ffb298b7ea5d1fdbac19ecb3fe83234430cb354c74bd191a3ad4673b
Instruction Fuzzy Hash: C9213E32644B156BE7106BA4AC09F7A7B9AFF46B60F051135F941A32D2DFB4AC00CA50

Function 006444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0066CC08), ref: 00644527
_wcslen.LIBCMT ref: 0064453B
_wcslen.LIBCMT ref: 00644599
_wcslen.LIBCMT ref: 006445F4
_wcslen.LIBCMT ref: 0064463F
_wcslen.LIBCMT ref: 006446A7

Part of subcall function 005EF9F2: _wcslen.LIBCMT ref: 005EF9FD

GetDriveTypeW.KERNEL32(?,00696BF0,00000061), ref: 00644743

Strings

ramdisk, xrefs: 006446F1
removable, xrefs: 006445EA, 006445EF
fixed, xrefs: 00644635, 0064463A
network, xrefs: 0064469D, 006446A2
all, xrefs: 00644531, 00644536
unknown, xrefs: 00644708
cdrom, xrefs: 0064458F, 00644594

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 24c5dad5db32f7fba3caa104efe25b56e97e7cc3ef33866d45072a027210a4f0
Instruction ID: 1cce9bbbfaf26e01f7fc5d78032a45a17b2e1fe3be0ef8d27780fe9203cb3e3b
Opcode Fuzzy Hash: 24c5dad5db32f7fba3caa104efe25b56e97e7cc3ef33866d45072a027210a4f0
Instruction Fuzzy Hash: 9BB1D1716083029FC714DF28C896AAABBE6BFE5760F50491EF496C7391EB30D845CB52

Function 0066911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

DragQueryPoint.SHELL32(?,?), ref: 00669147

Part of subcall function 00667674: ClientToScreen.USER32(?,?), ref: 0066769A
Part of subcall function 00667674: GetWindowRect.USER32(?,?), ref: 00667710
Part of subcall function 00667674: PtInRect.USER32(?,?,00668B89), ref: 00667720

SendMessageW.USER32(?,000000B0,?,?), ref: 006691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00669225
SendMessageW.USER32(?,000000B0,?,?), ref: 0066923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00669255
SendMessageW.USER32(?,000000B1,?,?), ref: 00669277
DragFinish.SHELL32(?), ref: 0066927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00669371

Strings

@GUI_DROPID, xrefs: 0066929E
@GUI_DRAGID, xrefs: 006692E9
p#j, xrefs: 006692BB
@GUI_DRAGFILE, xrefs: 00669320

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#j
API String ID: 221274066-3710821403
Opcode ID: 535027fc07c1e7e18f64b88b5099d27f2b8b3f7d8f6eeacad68d201c7d4089ce
Instruction ID: a22a9937046370a74f252b541fbd8b94885601313c46bbe606f95ae5142807eb
Opcode Fuzzy Hash: 535027fc07c1e7e18f64b88b5099d27f2b8b3f7d8f6eeacad68d201c7d4089ce
Instruction Fuzzy Hash: 37615A71108302AFC711EF54DC89DABBBEAFBC5750F00092EF595922A1DB709A49CB62

Function 00653FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0066CC08), ref: 006540BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006540CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0066CC08), ref: 006540F2
FreeLibrary.KERNEL32(00000000,?,0066CC08), ref: 0065413E
StringFromGUID2.OLE32(?,?,00000028,?,0066CC08), ref: 006541A8
SysFreeString.OLEAUT32(00000009), ref: 00654262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006542C8
SysFreeString.OLEAUT32(?), ref: 006542F2

Strings

kernel32.dll, xrefs: 006540B6
GetModuleHandleExW, xrefs: 006540C7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e348007d50c1533eb41793f3ced67c3eb46daee977bc5fedbfcb6d0db398068a
Instruction ID: cf41b08d2ccc900c4d28b17b525fa2460e20a899da1a3eb07e799822e7b4d865
Opcode Fuzzy Hash: e348007d50c1533eb41793f3ced67c3eb46daee977bc5fedbfcb6d0db398068a
Instruction Fuzzy Hash: 30125F75A00115EFDB14CF94C884EAEBBB6FF45319F248099F9059B261DB31ED86CBA0

Function 005D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(006A1990), ref: 00612F8D
GetMenuItemCount.USER32(006A1990), ref: 0061303D
GetCursorPos.USER32(?), ref: 00613081
SetForegroundWindow.USER32(00000000), ref: 0061308A
TrackPopupMenuEx.USER32(006A1990,00000000,?,00000000,00000000,00000000), ref: 0061309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006130A9

Strings

0, xrefs: 005D327D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 63c18e7d9bbbd0a8b49da244ab5158680d4bb251a19d351a86dde7a329db9aaf
Instruction ID: 22a8e486c09689b13878b2f01f82a0f1268340944c158b389b6e856ca9e62e92
Opcode Fuzzy Hash: 63c18e7d9bbbd0a8b49da244ab5158680d4bb251a19d351a86dde7a329db9aaf
Instruction Fuzzy Hash: D8710C70640216BEEB319F28CC59FEABF66FF05324F144217F515662E0C7B1A960C795

Function 00666CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00666DEB

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00666E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00666E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00666E94
DestroyWindow.USER32(?), ref: 00666EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005D0000,00000000), ref: 00666EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00666EFD
GetDesktopWindow.USER32 ref: 00666F16
GetWindowRect.USER32(00000000), ref: 00666F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00666F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00666F4D

Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952

Strings

tooltips_class32, xrefs: 00666E58, 00666EDD
0, xrefs: 00666D98

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f0b4a353321e18a45f531d631b4abea7b86a92ee76457bca5b9a216356480f63
Instruction ID: f55dadfecf7ab6b8248a6813e579449961f336955573dd88a406190342b5d142
Opcode Fuzzy Hash: f0b4a353321e18a45f531d631b4abea7b86a92ee76457bca5b9a216356480f63
Instruction Fuzzy Hash: 63716674104241AFEB21DF18E848EBBBBEAFB99314F04441EF99987361C771A906CB15

Function 0064C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0064C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0064C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0064C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0064C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0064C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0064C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0064C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0064C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0064C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0064C5F0
InternetCloseHandle.WININET(00000000), ref: 0064C5FB

Strings

, xrefs: 0064C575

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 47d75a1b9d88836c88431affd5ed31ff0cbd4d52412c4807ef33d2d86d8865d2
Instruction ID: 14fe998abc292f6296f30d2a20ba095a65fd2b0fcee1be4f10e5ddf96c7b9469
Opcode Fuzzy Hash: 47d75a1b9d88836c88431affd5ed31ff0cbd4d52412c4807ef33d2d86d8865d2
Instruction Fuzzy Hash: 02516EB0501608BFDB619F64C948ABB7BFEFF08764F008419F98596310DB74E954DB60

Function 0066856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00668592
GetFileSize.KERNEL32(00000000,00000000), ref: 006685A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 006685AD
CloseHandle.KERNEL32(00000000), ref: 006685BA
GlobalLock.KERNEL32(00000000), ref: 006685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006685D7
GlobalUnlock.KERNEL32(00000000), ref: 006685E0
CloseHandle.KERNEL32(00000000), ref: 006685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 006685F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0066FC38,?), ref: 00668611
GlobalFree.KERNEL32(00000000), ref: 00668621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00668641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00668671
DeleteObject.GDI32(00000000), ref: 00668699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006686AF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 84ace92714139ebbb2d2668daad19d16867ea6c526a8162ac60c9c438deefe0d
Instruction ID: 97f7c04cb81f6411bc78b12de212852d7ba3e1668879a4c28493aeb7c1e56ff9
Opcode Fuzzy Hash: 84ace92714139ebbb2d2668daad19d16867ea6c526a8162ac60c9c438deefe0d
Instruction Fuzzy Hash: A3411975600604BFDB119FA5DC48EAA7BBEEF89B21F104159F946E7260DB709E01CB60

Function 006414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00641502
VariantCopy.OLEAUT32(?,?), ref: 0064150B
VariantClear.OLEAUT32(?), ref: 00641517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006415FB
VarR8FromDec.OLEAUT32(?,?), ref: 00641657
VariantInit.OLEAUT32(?), ref: 00641708
SysFreeString.OLEAUT32(?), ref: 0064178C
VariantClear.OLEAUT32(?), ref: 006417D8
VariantClear.OLEAUT32(?), ref: 006417E7
VariantInit.OLEAUT32(00000000), ref: 00641823

Strings

Default, xrefs: 006416AF
%4d%02d%02d%02d%02d%02d, xrefs: 00641625

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9cb8c0ec533423adb327577dcb2b0ed13aff0abfc520be90c8ce2fa1f167071b
Instruction ID: 8ca4107cefe6b017d48ee7f1cc2250ec657f0f61f0b064d7aa9e9d267ef85d8b
Opcode Fuzzy Hash: 9cb8c0ec533423adb327577dcb2b0ed13aff0abfc520be90c8ce2fa1f167071b
Instruction Fuzzy Hash: 21D1E5B1600516DBDB18EF65D889BBDBBB6BF86700F148056F446AF680DB30EC82DB51

Function 0065B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0065B80A
RegCloseKey.ADVAPI32(?), ref: 0065B87E
RegCloseKey.ADVAPI32(?), ref: 0065B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0065B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0065B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0065B922
FreeLibrary.KERNEL32(00000000), ref: 0065B983
RegCloseKey.ADVAPI32(00000000), ref: 0065B994

Strings

advapi32.dll, xrefs: 0065B8ED
RegDeleteKeyExW, xrefs: 0065B8FE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: cd9f01e1d4a0f7dcde29da5ab429536be5a5343bafa2aed195209cd6cd2cf694
Instruction ID: 87462284557be69eb017b1d384b24d551cafcf3acc45d898fbb8772dea2200e2
Opcode Fuzzy Hash: cd9f01e1d4a0f7dcde29da5ab429536be5a5343bafa2aed195209cd6cd2cf694
Instruction Fuzzy Hash: 9EC16E30204202AFD720DF18C495F6ABBE6BF85319F14955DF8968B3A2C771ED49CB91

Function 0065255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006525E8
CreateCompatibleDC.GDI32(?), ref: 006525F4
SelectObject.GDI32(00000000,?), ref: 00652601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0065266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006526D0
SelectObject.GDI32(?,?), ref: 006526D8
DeleteObject.GDI32(?), ref: 006526E1
DeleteDC.GDI32(?), ref: 006526E8
ReleaseDC.USER32(00000000,?), ref: 006526F3

Strings

(, xrefs: 0065268D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0a789619fb2ee3aa8fbb2226b09a05e49ca31ec6ceed3849ec9cb1d5e97d67b9
Instruction ID: 9662a6b8ba72b60abccc21088b2b0d60fc0ef2e980b1c1a8010d752165eca047
Opcode Fuzzy Hash: 0a789619fb2ee3aa8fbb2226b09a05e49ca31ec6ceed3849ec9cb1d5e97d67b9
Instruction Fuzzy Hash: 2B61F475D0061AEFCF04CFA4D894AAEBBF6FF48310F208529E955A7250D771A941CF94

Function 0060DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0060DAA1

Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D659
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D66B
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D67D
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D68F
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6A1
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6B3
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6C5
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6D7
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6E9
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6FB
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D70D
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D71F
Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D731

_free.LIBCMT ref: 0060DA96

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

_free.LIBCMT ref: 0060DAB8
_free.LIBCMT ref: 0060DACD
_free.LIBCMT ref: 0060DAD8
_free.LIBCMT ref: 0060DAFA
_free.LIBCMT ref: 0060DB0D
_free.LIBCMT ref: 0060DB1B
_free.LIBCMT ref: 0060DB26
_free.LIBCMT ref: 0060DB5E
_free.LIBCMT ref: 0060DB65
_free.LIBCMT ref: 0060DB82
_free.LIBCMT ref: 0060DB9A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: aaa64df1ad360d0d096e88a3f1a4fbe14835bb136f56c49d9f1fbf95a121caad
Instruction ID: 5e9f70f856a4960c56b77a1b02231d038bc5addbc136e087ce959cd0b5137088
Opcode Fuzzy Hash: aaa64df1ad360d0d096e88a3f1a4fbe14835bb136f56c49d9f1fbf95a121caad
Instruction Fuzzy Hash: BD317C716842069FEB69AAB9E845B9B77EAFF00710F204A1DE449D72D1DB30EC40C724

Function 0063365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0063369C
_wcslen.LIBCMT ref: 006336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00633797
GetClassNameW.USER32(?,?,00000400), ref: 0063380C
GetDlgCtrlID.USER32(?), ref: 0063385D
GetWindowRect.USER32(?,?), ref: 00633882
GetParent.USER32(?), ref: 006338A0
ScreenToClient.USER32(00000000), ref: 006338A7
GetClassNameW.USER32(?,?,00000100), ref: 00633921
GetWindowTextW.USER32(?,?,00000400), ref: 0063395D

Strings

%s%u, xrefs: 00633734

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 80008d215d2383fb10d2a609a4ac87a2cab88421131c42117caca905ff248a44
Instruction ID: 01103dd22312446eaf7fade9c150c69ad77354cdeaec62f9831198b677e06732
Opcode Fuzzy Hash: 80008d215d2383fb10d2a609a4ac87a2cab88421131c42117caca905ff248a44
Instruction Fuzzy Hash: D6919171204616EFD719DF24C885BEAF7AAFF44350F004629FA99C6290EB70EA45CBD1

Function 00634954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00634994
GetWindowTextW.USER32(?,?,00000400), ref: 006349DA
_wcslen.LIBCMT ref: 006349EB
CharUpperBuffW.USER32(?,00000000), ref: 006349F7
_wcsstr.LIBVCRUNTIME ref: 00634A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00634A64
GetWindowTextW.USER32(?,?,00000400), ref: 00634A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00634AE6
GetClassNameW.USER32(?,?,00000400), ref: 00634B20
GetWindowRect.USER32(?,?), ref: 00634B8B

Strings

ThumbnailClass, xrefs: 00634A6F, 00634AF1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8e9b11e494c033497b9640c06a3387b912d21c6cab9e8346e96d938d5c7a2270
Instruction ID: 19d455fee6c709d602f0f80563e8ec6a33eb4765cd08333aed2ec04029af0cb8
Opcode Fuzzy Hash: 8e9b11e494c033497b9640c06a3387b912d21c6cab9e8346e96d938d5c7a2270
Instruction Fuzzy Hash: 8491AE711042069BDB04CF14C985BAAFBEAFF84314F04846AFD869A296DF34ED45CBA1

Function 0063BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(006A1990,000000FF,00000000,00000030), ref: 0063BFAC
SetMenuItemInfoW.USER32(006A1990,00000004,00000000,00000030), ref: 0063BFE1
Sleep.KERNEL32(000001F4), ref: 0063BFF3
GetMenuItemCount.USER32(?), ref: 0063C039
GetMenuItemID.USER32(?,00000000), ref: 0063C056
GetMenuItemID.USER32(?,-00000001), ref: 0063C082
GetMenuItemID.USER32(?,?), ref: 0063C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0063C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0063C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0063C145

Strings

0, xrefs: 0063BF3D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: b3b720b12f768ff8f5354d87d9ee75b7da494a605f6c3f1150f54e98ac718cf2
Instruction ID: 90140e49cec8ce82363ff4bf4f621d7b6f38e3e20bf6457a1c8c120d0ea0eebd
Opcode Fuzzy Hash: b3b720b12f768ff8f5354d87d9ee75b7da494a605f6c3f1150f54e98ac718cf2
Instruction Fuzzy Hash: 6A61AFB190028AAFDF15CF64CC88AFEBBBAEB05364F000019F951B7291C771AD15DBA0

Function 0065CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0065CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0065CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0065CD48

Part of subcall function 0065CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0065CCAA
Part of subcall function 0065CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0065CCBD
Part of subcall function 0065CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0065CCCF
Part of subcall function 0065CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0065CD05
Part of subcall function 0065CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0065CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0065CCF3

Strings

advapi32.dll, xrefs: 0065CCB8
RegDeleteKeyExW, xrefs: 0065CCC9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: be70dd3e98781277891bf0b8bf08dbfe1106c7aa1aa4d4adc42e75c086b44cc4
Instruction ID: dfd478e9582f15ca6f1693502117e16ebc136d62a2a166c5a68ee0b878cc026d
Opcode Fuzzy Hash: be70dd3e98781277891bf0b8bf08dbfe1106c7aa1aa4d4adc42e75c086b44cc4
Instruction Fuzzy Hash: 3231A171901229BFDB209B94DC88EFFBB7EEF01761F000165F945E2200D7B08A49DAA0

Function 00643D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00643D40
_wcslen.LIBCMT ref: 00643D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00643D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00643DBE
RemoveDirectoryW.KERNEL32(?), ref: 00643DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00643E55
CloseHandle.KERNEL32(00000000), ref: 00643E60
CloseHandle.KERNEL32(00000000), ref: 00643E6B

Strings

\??\%s, xrefs: 00643D5B
:, xrefs: 00643D82
\, xrefs: 00643D77

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 57378d77379348d1731fb045ac2a41f984b3e7502b195ef85d7716c88523c9a1
Instruction ID: be16ba3b91dd27e3aa88fe9327f342e03729e2e4a41445cb64a688dbd0d80a48
Opcode Fuzzy Hash: 57378d77379348d1731fb045ac2a41f984b3e7502b195ef85d7716c88523c9a1
Instruction Fuzzy Hash: A831C47190021AABDB209FA1DC49FEF37BEEF89710F1040B6F645D6260EBB497448B24

Function 0063E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0063E6B4

Part of subcall function 005EE551: timeGetTime.WINMM(?,?,0063E6D4), ref: 005EE555

Sleep.KERNEL32(0000000A), ref: 0063E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0063E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0063E727
SetActiveWindow.USER32 ref: 0063E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0063E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0063E773
Sleep.KERNEL32(000000FA), ref: 0063E77E
IsWindow.USER32 ref: 0063E78A
EndDialog.USER32(00000000), ref: 0063E79B

Strings

BUTTON, xrefs: 0063E719

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 97e801ec6818b365dcc25f22faf7a2578359f7b0b37dd5be96c38cc3226a0a70
Instruction ID: 9aa5ba4d69829e614cace606a023c2c634144f903b6567ad1014d7e6fa1081ff
Opcode Fuzzy Hash: 97e801ec6818b365dcc25f22faf7a2578359f7b0b37dd5be96c38cc3226a0a70
Instruction Fuzzy Hash: D9218770280605AFEB106F64ECA9A353B6BF756358F103425F455826E1DBB2BC50DF74

Function 0063E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0063EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0063EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0063EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0063EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0063EAA7

Strings

play PlayMe wait, xrefs: 0063EA91
status PlayMe mode, xrefs: 0063EA58
alias PlayMe, xrefs: 0063EA36
open , xrefs: 0063EA0C
close PlayMe, xrefs: 0063EA6E, 0063EA9B
play PlayMe, xrefs: 0063EAA2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 195235399f950cd644a8c1e1d4b993336506521721ee3e19b5bfeb484eac08e1
Instruction ID: c87eea955759dd34d751e49ef8539c1f4444fee68456355d9d768312b2bfc6bd
Opcode Fuzzy Hash: 195235399f950cd644a8c1e1d4b993336506521721ee3e19b5bfeb484eac08e1
Instruction Fuzzy Hash: 06117331A9036A79DB20A7A6DD4AEFF6E7DFBD1B40F01042AB411A21D1EEB05D05C5B1

Function 00639F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0063A012
SetKeyboardState.USER32(?), ref: 0063A07D
GetAsyncKeyState.USER32(000000A0), ref: 0063A09D
GetKeyState.USER32(000000A0), ref: 0063A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0063A0E3
GetKeyState.USER32(000000A1), ref: 0063A0F4
GetAsyncKeyState.USER32(00000011), ref: 0063A120
GetKeyState.USER32(00000011), ref: 0063A12E
GetAsyncKeyState.USER32(00000012), ref: 0063A157
GetKeyState.USER32(00000012), ref: 0063A165
GetAsyncKeyState.USER32(0000005B), ref: 0063A18E
GetKeyState.USER32(0000005B), ref: 0063A19C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cea143034fcfe2ca204dea6acf59bc70d13227201267bcc0439746f80d4c499e
Instruction ID: b123ce29cc4a22c5724abf4ec813c4aa87ee5a30c873ce88b5b70e764bb7fcdc
Opcode Fuzzy Hash: cea143034fcfe2ca204dea6acf59bc70d13227201267bcc0439746f80d4c499e
Instruction Fuzzy Hash: 4651CA3090478429FB35DBA089157EABFF69F12340F08459DD5C2573C2DA949A4CDBE6

Function 00635CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00635CE2
GetWindowRect.USER32(00000000,?), ref: 00635CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00635D59
GetDlgItem.USER32(?,00000002), ref: 00635D69
GetWindowRect.USER32(00000000,?), ref: 00635D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00635DCF
GetDlgItem.USER32(?,000003E9), ref: 00635DDD
GetWindowRect.USER32(00000000,?), ref: 00635DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00635E31
GetDlgItem.USER32(?,000003EA), ref: 00635E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00635E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00635E67

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c2eb437c4625526874ac3c7528500c436997fad249b5b56acc78a2829d6fca78
Instruction ID: 9449321a8c70d59df5aad5f15b70f30468b5c15f1f43728c17a2ef09a0beae40
Opcode Fuzzy Hash: c2eb437c4625526874ac3c7528500c436997fad249b5b56acc78a2829d6fca78
Instruction Fuzzy Hash: E2512FB0B00615AFDB18CF68CD99AAE7BB6FF48311F108129F516E7290D7B09E00CB94

Function 005E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E8BE8,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8FC5

DestroyWindow.USER32(?), ref: 005E8C81
KillTimer.USER32(00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00626973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 006269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 006269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000), ref: 006269D4
DeleteObject.GDI32(00000000), ref: 006269E6

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1299260aad6e50dd365dd51d28b0e76bb1de7c63465779cc3b430b9a7832392f
Instruction ID: fa8a424010f92bf94625f5763aaeda49e756d286cd33ccc23dbb5f47240d54e5
Opcode Fuzzy Hash: 1299260aad6e50dd365dd51d28b0e76bb1de7c63465779cc3b430b9a7832392f
Instruction Fuzzy Hash: 96619130502A51DFCB299F15D948B767BF2FB42311F145919E0CA9E660CB71BC80DF90

Function 005E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952

GetSysColor.USER32(0000000F), ref: 005E9862

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ed5bee598cb7093d468bf59b62fdb5e58ebda4977f9204fb0f01d918bc6323c4
Instruction ID: 5f0eccb55afdd49c73ea71b3b2e18f3dc1a3c6eec349a0074481036037e357bc
Opcode Fuzzy Hash: ed5bee598cb7093d468bf59b62fdb5e58ebda4977f9204fb0f01d918bc6323c4
Instruction Fuzzy Hash: 6641D031108A90AFDB245F399C88BB97BA6BB17330F145615F9E28B2F2C7709C42DB51

Function 00608D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

._, xrefs: 0060903A, 00608FD0, 00608FF2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: ._
API String ID: 0-1383207595
Opcode ID: c6046da74ee32863bad3a33c0f03fcb4a48ad124705ae8c501155ea5c34e6372
Instruction ID: 1bc72fd4f94b1963cc535db4c2a95a361662a8a41649221d6c4421be916310c1
Opcode Fuzzy Hash: c6046da74ee32863bad3a33c0f03fcb4a48ad124705ae8c501155ea5c34e6372
Instruction Fuzzy Hash: C0C1F27494424A9FDB19EFA8C844BEEBBB3BF4A310F044099E955A73D2C7349941CB70

Function 006396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0061F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00639717
LoadStringW.USER32(00000000,?,0061F7F8,00000001), ref: 00639720

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0061F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00639742
LoadStringW.USER32(00000000,?,0061F7F8,00000001), ref: 00639745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00639866

Strings

Line %d:, xrefs: 006397A0
Line %d (File "%s"):, xrefs: 0063978F
%s (%d) : ==> %s: %s %s, xrefs: 0063984A
Error: , xrefs: 0063981D
^ ERROR, xrefs: 006397FB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: ad963c436f2a703433254c325694c1c7473675b146448ba98f0a04a5b6ddac63
Instruction ID: 5d55f9f25c88d84af912bc4ef2c077a8fae9106387a3cceb7d2ed8518f08cd90
Opcode Fuzzy Hash: ad963c436f2a703433254c325694c1c7473675b146448ba98f0a04a5b6ddac63
Instruction Fuzzy Hash: 1D41507290020AAADF14EBE4DE4ADEE7B79AF95740F100426F101B2191EA756F49CFA1

Function 006306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00630804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0063082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00630837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0063083C

Strings

\CLSID, xrefs: 00630724
SOFTWARE\Classes\, xrefs: 0063070E
\IPC$, xrefs: 00630784

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 7b03e52151ff13ec20abf16daec52e6b4b2053f514f2baabd3bdcbf9de74e1b2
Instruction ID: d7efc9aa40a2554b778dfce0577433214c049fc89ee7dce00d7e17342361b4dd
Opcode Fuzzy Hash: 7b03e52151ff13ec20abf16daec52e6b4b2053f514f2baabd3bdcbf9de74e1b2
Instruction Fuzzy Hash: 5D411D71C10229ABDF21EF98DC99DEDBB79FF44750F14416AE901A3261EB709E04CB90

Function 00653C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00653C5C
CoInitialize.OLE32(00000000), ref: 00653C8A
CoUninitialize.OLE32 ref: 00653C94
_wcslen.LIBCMT ref: 00653D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00653DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00653ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00653F0E
CoGetObject.OLE32(?,00000000,0066FB98,?), ref: 00653F2D
SetErrorMode.KERNEL32(00000000), ref: 00653F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00653FC4
VariantClear.OLEAUT32(?), ref: 00653FD8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e09a86eb05eba53ebefbf49462dd3f29b209308a4595083592f206f992157ba3
Instruction ID: f3279b7ea6d2b34149e2c4aae29f0e3c88a5b5e1db50e6a82c2fb60223ce9937
Opcode Fuzzy Hash: e09a86eb05eba53ebefbf49462dd3f29b209308a4595083592f206f992157ba3
Instruction Fuzzy Hash: A4C124716082159FD710DF68C88496BBBEAFF89B85F00491EF9899B310DB71ED09CB52

Function 00647A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00647AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00647B8F
SHGetDesktopFolder.SHELL32(?), ref: 00647BA3
CoCreateInstance.OLE32(0066FD08,00000000,00000001,00696E6C,?), ref: 00647BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00647C74
CoTaskMemFree.OLE32(?,?), ref: 00647CCC
SHBrowseForFolderW.SHELL32(?), ref: 00647D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00647D7A
CoTaskMemFree.OLE32(00000000), ref: 00647D81
CoTaskMemFree.OLE32(00000000), ref: 00647DD6
CoUninitialize.OLE32 ref: 00647DDC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a703eaf2117cfb809401a1df9a43fe7ae771296990c3d760c9cea4fac66d1437
Instruction ID: 57e7c121dc91bd78a6fb06850a4ec7e7e7511043d99757078594753bc4d2ce0b
Opcode Fuzzy Hash: a703eaf2117cfb809401a1df9a43fe7ae771296990c3d760c9cea4fac66d1437
Instruction Fuzzy Hash: 1FC11C75A04119AFDB14DFA4C888DAEBBFAFF48314B148499E819DB361DB30ED45CB90

Function 0066541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00665504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00665515
CharNextW.USER32(00000158), ref: 00665544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00665585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0066559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006655AC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1688b3c95332405e2ecc8b66d3efe8495175d15ace4014b205ed329e4f86addf
Instruction ID: e20b3f57d98ed2998ffe611bc43772205214bcb5c600b6ad5f5a729ec3a2ca8a
Opcode Fuzzy Hash: 1688b3c95332405e2ecc8b66d3efe8495175d15ace4014b205ed329e4f86addf
Instruction Fuzzy Hash: CC618030900609EFDF109F64CC869FE7BBBEF06724F104149F966AB290DB749A81DB61

Function 0062FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0062FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0062FB08
VariantInit.OLEAUT32(?), ref: 0062FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0062FB3A
VariantCopy.OLEAUT32(?,?), ref: 0062FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0062FBA1
VariantClear.OLEAUT32(?), ref: 0062FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0062FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0062FBCC
VariantClear.OLEAUT32(?), ref: 0062FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0062FBE9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fadf3d4fadf97bf6e37b56ba335fa938d47199e9a3f1ba8368acf47878041347
Instruction ID: 07121b445461c080848b0c5d7805c651d129eedea14313d86a3750e718707440
Opcode Fuzzy Hash: fadf3d4fadf97bf6e37b56ba335fa938d47199e9a3f1ba8368acf47878041347
Instruction Fuzzy Hash: E7413E35A00619EFCB00DF68D8589EEBBBAFF48355F008079E945A7261CB70A945CFA0

Function 00639C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00639CA1
GetAsyncKeyState.USER32(000000A0), ref: 00639D22
GetKeyState.USER32(000000A0), ref: 00639D3D
GetAsyncKeyState.USER32(000000A1), ref: 00639D57
GetKeyState.USER32(000000A1), ref: 00639D6C
GetAsyncKeyState.USER32(00000011), ref: 00639D84
GetKeyState.USER32(00000011), ref: 00639D96
GetAsyncKeyState.USER32(00000012), ref: 00639DAE
GetKeyState.USER32(00000012), ref: 00639DC0
GetAsyncKeyState.USER32(0000005B), ref: 00639DD8
GetKeyState.USER32(0000005B), ref: 00639DEA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0b02bc90c1b0209ecabbceb4943271fb4eabe0ddd0cb61155f1719cd0e756690
Instruction ID: e110bc05ed279140b97dd4f8590073aa9db2726244df16d6b0aafccc5dec67f0
Opcode Fuzzy Hash: 0b02bc90c1b0209ecabbceb4943271fb4eabe0ddd0cb61155f1719cd0e756690
Instruction Fuzzy Hash: 9541C434904BCA6DFF30966488053F6BEA2AF11344F04905ADAC6567C2DBE499C8CFF2

Function 0065055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006505BC
inet_addr.WSOCK32(?), ref: 0065061C
gethostbyname.WSOCK32(?), ref: 00650628
IcmpCreateFile.IPHLPAPI ref: 00650636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006507B9
WSACleanup.WSOCK32 ref: 006507BF

Strings

Ping, xrefs: 00650676

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 39c59d1d7fb5f363803f258cc5eb080f4a1999551469b82b6a3b3f49ca8f0390
Instruction ID: a5a1834051eca0195311beacea884334cf6ec887432b3e44d618d0ed672cdb96
Opcode Fuzzy Hash: 39c59d1d7fb5f363803f258cc5eb080f4a1999551469b82b6a3b3f49ca8f0390
Instruction Fuzzy Hash: E3918F755042029FE320DF15C588F56BBE2BF88318F1485A9F8A98B7A2D770ED49CF81

Function 00658CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00658CF3

Part of subcall function 00638E54: _wcslen.LIBCMT ref: 00638E77

_wcslen.LIBCMT ref: 00658D4E
_wcslen.LIBCMT ref: 00658D9C
_wcslen.LIBCMT ref: 00658DDC
_wcslen.LIBCMT ref: 00658E6E

Strings

cdecl, xrefs: 00658D48, 00658D4D
none, xrefs: 00658E65, 00658E6A
winapi, xrefs: 00658D96, 00658D9B
stdcall, xrefs: 00658DD6, 00658DDB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8640879aa67072bdad1e666cb4e3611b9a5c8228e64d20bf1ca5e20c4f1d3b70
Instruction ID: 0671e84c3531e38ab7b0cf08ddc4449313f2e259df9819b7a2ae9b091bd4cf26
Opcode Fuzzy Hash: 8640879aa67072bdad1e666cb4e3611b9a5c8228e64d20bf1ca5e20c4f1d3b70
Instruction Fuzzy Hash: 23519D31A001169ECB24DF68C9418FEB7B6BFA4721B20422AE866F7784DB35DD458B90

Function 0065372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00653774
CoUninitialize.OLE32 ref: 0065377F
CoCreateInstance.OLE32(?,00000000,00000017,0066FB78,?), ref: 006537D9
IIDFromString.OLE32(?,?), ref: 0065384C
VariantInit.OLEAUT32(?), ref: 006538E4
VariantClear.OLEAUT32(?), ref: 00653936

Strings

Invalid parameter, xrefs: 00653865
NULL Pointer assignment, xrefs: 0065381E
Failed to create object, xrefs: 006537E4, 0065389A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 32b008dd4b5a75941bac069f2bba05329d470706343784c203c7ee483e2b75cd
Instruction ID: 2687b543cc9e095b3a627cbf083a50df9d6b81da31062d0d7db7bca706ee3116
Opcode Fuzzy Hash: 32b008dd4b5a75941bac069f2bba05329d470706343784c203c7ee483e2b75cd
Instruction Fuzzy Hash: A761C3B06083119FD310DF54C848B6ABBEAEF48B51F00080EF9859B391D770EE49CB96

Function 00643388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006433CF

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006433F0

Strings

Line %d (File "%s"):, xrefs: 00643443, 0064345C
"%s" (%d) : ==> %s:, xrefs: 00643522
Incorrect parameters to object property !, xrefs: 006434AB
Error: , xrefs: 006434D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00643504
^ ERROR , xrefs: 0064349E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: fe3959b7997a525b0776587decf2d3e8c71b53b9484facb49c97aeceaaa4a146
Instruction ID: 5828981aab4dad86e1ccdc21bb3772fb76c2936f21bd3a1bcd32a145e8c012df
Opcode Fuzzy Hash: fe3959b7997a525b0776587decf2d3e8c71b53b9484facb49c97aeceaaa4a146
Instruction Fuzzy Hash: 7551C37190021AAADF24EBE4CD46EEEBB7ABF54740F104066F405722A1EB712F58DF61

Function 0063B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0063B5FC
_wcslen.LIBCMT ref: 0063B608
_wcslen.LIBCMT ref: 0063B64D
_wcslen.LIBCMT ref: 0063B68C
_wcslen.LIBCMT ref: 0063B6C7

Strings

KEYS, xrefs: 0063B647, 0063B64C
EXISTS, xrefs: 0063B686, 0063B68B
APPEND, xrefs: 0063B6C1, 0063B6C6
REMOVE, xrefs: 0063B602, 0063B607

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ec78ff44404e4fd00ba710977c73a0a08e23d73c96da6041e1476ee54f5aa4c2
Instruction ID: dd908bad93d1ce31b0aee563342615ca599178ef9b57752c9257bf1e4fbff34b
Opcode Fuzzy Hash: ec78ff44404e4fd00ba710977c73a0a08e23d73c96da6041e1476ee54f5aa4c2
Instruction Fuzzy Hash: CB41F332A001279ACB205E7DC9925FE7BA6BBA2754F245129E621DB385E731CC81C7D0

Function 00645393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00645416
GetLastError.KERNEL32 ref: 00645420
SetErrorMode.KERNEL32(00000000,READY), ref: 006454A7

Strings

UNKNOWN, xrefs: 00645444
INVALID, xrefs: 00645459
NOTREADY, xrefs: 0064544B
READONLY, xrefs: 00645452
READY, xrefs: 00645460, 00645468

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 67ff6af5a45fc86db349dc1e039d3596bd56b02062e8fe500ba5c7521e02e210
Instruction ID: df34ea42077dd93a64679dbab0a85e83b8af13cbc21152acdb305ec2ec275fa1
Opcode Fuzzy Hash: 67ff6af5a45fc86db349dc1e039d3596bd56b02062e8fe500ba5c7521e02e210
Instruction Fuzzy Hash: 8F316D35A006059FCB10DF68C488AEABBFAEF45345F148066E406DF3A2DB71DD86CB91

Function 00663C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00663C79
SetMenu.USER32(?,00000000), ref: 00663C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00663D10
IsMenu.USER32(?), ref: 00663D24
CreatePopupMenu.USER32 ref: 00663D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00663D5B
DrawMenuBar.USER32 ref: 00663D63

Strings

0, xrefs: 00663C54
F, xrefs: 00663D4E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 3472c236989a0ab27a939e945e624f98501ae22ec9dea5f4b9798ceebf6b62f3
Instruction ID: e293b60c4fa45ac87f6b27b5bc410afb4029268dcf8cd9216fe39f7fd4a54d5c
Opcode Fuzzy Hash: 3472c236989a0ab27a939e945e624f98501ae22ec9dea5f4b9798ceebf6b62f3
Instruction Fuzzy Hash: 67415779A01619AFDB14DF64DC84AEA7BB6FF49350F140029F946A7360D770BA10CF94

Function 00631EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00631F64
GetDlgCtrlID.USER32 ref: 00631F6F
GetParent.USER32 ref: 00631F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00631F8E
GetDlgCtrlID.USER32(?), ref: 00631F97
GetParent.USER32(?), ref: 00631FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00631FAE

Strings

ComboBox, xrefs: 00631EEC
ListBox, xrefs: 00631F21

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c5d96c7f17770abc83722be6daa2150c5d9590725d0dad1d565f291d578c1ae7
Instruction ID: fd3cc13189a8a4482082cbe2a82ec44a490f9c6fd431171033d6f0f993a984b5
Opcode Fuzzy Hash: c5d96c7f17770abc83722be6daa2150c5d9590725d0dad1d565f291d578c1ae7
Instruction Fuzzy Hash: FE21D474A00214BBCF15AFA4DC85DFEBBBAEF06310F00511AF961A73A1CB745905DBA4

Function 00631FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00632043
GetDlgCtrlID.USER32 ref: 0063204E
GetParent.USER32 ref: 0063206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0063206D
GetDlgCtrlID.USER32(?), ref: 00632076
GetParent.USER32(?), ref: 0063208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0063208D

Strings

ComboBox, xrefs: 00631FCD
ListBox, xrefs: 00632002

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cff9f182431ee6c770140f1c2efdc8cf83746dcf85b12f9f94c882a59cf1a136
Instruction ID: 096cd57c0d17088741a756f11f04628060c3b93aac8e9492221091589f2af430
Opcode Fuzzy Hash: cff9f182431ee6c770140f1c2efdc8cf83746dcf85b12f9f94c882a59cf1a136
Instruction Fuzzy Hash: D421C271A00215BBCF15AFA4CC55EFEBFBABF05310F005016F991A72A1CB754919DBA4

Function 00663A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00663A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00663AA0
GetWindowLongW.USER32(?,000000F0), ref: 00663AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00663AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00663B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00663BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00663BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00663BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00663BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00663C13

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e1719e023fbbeeb3ccc7b95db46f563078797e4e1c2049ca8d2dcdd5d4e538ba
Instruction ID: a532e3605bb6e83a3d939f16d3fbcb3b5c3bf4c5b7bd93d4ad5cd77964b9b679
Opcode Fuzzy Hash: e1719e023fbbeeb3ccc7b95db46f563078797e4e1c2049ca8d2dcdd5d4e538ba
Instruction Fuzzy Hash: 99617975900218AFDB10DFA8CC81EEE77B9EB4A700F10019AFA15AB3A1C774AE41DF50

Function 0063B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0063B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B165
GetWindowThreadProcessId.USER32(00000000), ref: 0063B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B21D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e803eb4aab7e4407211437e906204a3121f10bd87a0b8e68fdf8ba2306de1867
Instruction ID: 1f8677ab8368066cf292dcebb59de1a1ce4ffea70337c75d784e1184b16d6956
Opcode Fuzzy Hash: e803eb4aab7e4407211437e906204a3121f10bd87a0b8e68fdf8ba2306de1867
Instruction Fuzzy Hash: C9319C71500614BFDB10AF24DC49BBEBBABBB52321F146115FA02D6390D7B5AA408FA4

Function 00602C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00602C94

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

_free.LIBCMT ref: 00602CA0
_free.LIBCMT ref: 00602CAB
_free.LIBCMT ref: 00602CB6
_free.LIBCMT ref: 00602CC1
_free.LIBCMT ref: 00602CCC
_free.LIBCMT ref: 00602CD7
_free.LIBCMT ref: 00602CE2
_free.LIBCMT ref: 00602CED
_free.LIBCMT ref: 00602CFB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85fef346c535f288309e4060a1ea722b2f831f2609e3f17c6314a2b332e34836
Instruction ID: 68fccbbe7df5b585ea8181556d0a592cc3da6132ceeb441d13e58c3a6764b0a7
Opcode Fuzzy Hash: 85fef346c535f288309e4060a1ea722b2f831f2609e3f17c6314a2b332e34836
Instruction Fuzzy Hash: 87112B36140009BFCB4AEF55D856CDE3BAAFF05740F5048A8F9485F272D631EE509B94

Function 00647DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00647FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00647FC1
GetFileAttributesW.KERNEL32(?), ref: 00647FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00648005
SetCurrentDirectoryW.KERNEL32(?), ref: 00648017
SetCurrentDirectoryW.KERNEL32(?), ref: 00648060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006480B0

Strings

*.*, xrefs: 00648066

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cd58b67d9cb89849100a3a6cd2383782f076f6573c8911fa3557eb497af07c24
Instruction ID: 18abea11bcb58b9231ce9e7ec23b1b32d6e690a6368673a88d46752ae8ade336
Opcode Fuzzy Hash: cd58b67d9cb89849100a3a6cd2383782f076f6573c8911fa3557eb497af07c24
Instruction Fuzzy Hash: 32819C725082469FCB20EF14C844AAEB7EABF88710F14496EF885D7350EB35DD498B92

Function 005D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005D5C7A

Part of subcall function 005D5D0A: GetClientRect.USER32(?,?), ref: 005D5D30
Part of subcall function 005D5D0A: GetWindowRect.USER32(?,?), ref: 005D5D71
Part of subcall function 005D5D0A: ScreenToClient.USER32(?,?), ref: 005D5D99

GetDC.USER32 ref: 006146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00614708
SelectObject.GDI32(00000000,00000000), ref: 00614716
SelectObject.GDI32(00000000,00000000), ref: 0061472B
ReleaseDC.USER32(?,00000000), ref: 00614733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006147C4

Strings

U, xrefs: 00614693

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3c7e5b60904d353303571b403a8732dfc511080f96a51a8c158ebd71c51899ee
Instruction ID: ddfc960d4ed7141d0b819b8bc971a4565d986311ee431bdf3f5564557c40612b
Opcode Fuzzy Hash: 3c7e5b60904d353303571b403a8732dfc511080f96a51a8c158ebd71c51899ee
Instruction Fuzzy Hash: F271EE30500205DFCF218F68C984AFA3BB7FF4A325F18426AE9555B2A6DB319C81DF60

Function 0064359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006435E4

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

LoadStringW.USER32(006A2390,?,00000FFF,?), ref: 0064360A

Strings

Line %d (File "%s"):, xrefs: 0064366B
"%s" (%d) : ==> %s:, xrefs: 00643742
Error: , xrefs: 006436EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00643724
^ ERROR, xrefs: 006436C9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 38d68df3ff6e496d288dc4e5b4f6ad3a055f8591afddd4a146f8bc0857f8908d
Instruction ID: 9b88dbae819ee5f896fbb66799d8a535925798eace97b0c9a9a0d9ad2e86ac94
Opcode Fuzzy Hash: 38d68df3ff6e496d288dc4e5b4f6ad3a055f8591afddd4a146f8bc0857f8908d
Instruction Fuzzy Hash: D151A37180021ABBDF24EBA4DC46EEEBB7ABF45300F144126F105722A1DB301B95DFA5

Function 0064C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0064C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0064C2CA
GetLastError.KERNEL32 ref: 0064C322
SetEvent.KERNEL32(?), ref: 0064C336
InternetCloseHandle.WININET(00000000), ref: 0064C341

Strings

, xrefs: 0064C2BB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d162ce8ba685d472b33129d302cc15aece2cd5eddc487a27af680bf56fa8bde2
Instruction ID: 863ee70b6bee281cc6e6608e8ffd2bb2dee60bbb668c66138a6019a83629f9c4
Opcode Fuzzy Hash: d162ce8ba685d472b33129d302cc15aece2cd5eddc487a27af680bf56fa8bde2
Instruction Fuzzy Hash: BD31B1B1601604AFD7629F648C88ABB7BFEEF49760F00851DF48692300DB70DD059B60

Function 0063989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00613AAF,?,?,Bad directive syntax error,0066CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006398BC
LoadStringW.USER32(00000000,?,00613AAF,?), ref: 006398C3

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00639987

Strings

Line %d:, xrefs: 00639912
Line %d (File "%s"):, xrefs: 0063992D
%s (%d) : ==> %s.: %s %s, xrefs: 006398F1
Error: , xrefs: 00639955
., xrefs: 0063996D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 106a55485deecf41b0fc9dd0e6a4cd7bf57521cf9bc1cf6ec29091dbb170f09a
Instruction ID: 608ba5ac0e666e773fe58f734e494c7cb84010d1214de0c129a3d63e26990899
Opcode Fuzzy Hash: 106a55485deecf41b0fc9dd0e6a4cd7bf57521cf9bc1cf6ec29091dbb170f09a
Instruction Fuzzy Hash: B721943190021EABDF25AF94CC0AEEE7B7AFF18700F04442BF515661A1DB719A28DF61

Function 0063209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0063214D

Strings

SHELLDLL_DefView, xrefs: 006320CC
smallicons, xrefs: 00632115
list, xrefs: 0063212F
largeicons, xrefs: 006320E1
details, xrefs: 006320FB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: af016500c36db37f76333a16bf42a5a47c1a9240dd3c61cdd677b3e35676d275
Instruction ID: 5c965206ccaa653841374b03f4ae521a611c325fd9ed8310fc175e229daac4dd
Opcode Fuzzy Hash: af016500c36db37f76333a16bf42a5a47c1a9240dd3c61cdd677b3e35676d275
Instruction Fuzzy Hash: DE115C7728870BBAFA012220DC2BCF7379FDB05324F200116F705E41D5FEB568425A58

Function 0060CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0060CEB7
_free.LIBCMT ref: 0060CF22
_free.LIBCMT ref: 0060CF48
_free.LIBCMT ref: 0060CF71
_free.LIBCMT ref: 0060CFA9
_free.LIBCMT ref: 0060CFDA
_free.LIBCMT ref: 0060D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0060D09C
_free.LIBCMT ref: 0060D0B5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f0e35a9732e993ef6100ac90dd81899d03a24fe7cf3aa6708b2ab7e9787b6e20
Instruction ID: e9ee42dc088ee0b199f43fd43d0941ff37eee69336ff849840c7916f3c45fbf9
Opcode Fuzzy Hash: f0e35a9732e993ef6100ac90dd81899d03a24fe7cf3aa6708b2ab7e9787b6e20
Instruction Fuzzy Hash: 426178B2984302AFDB2DBFB49895AAF7BA7AF01330F14426DF905A73C1D6319D018751

Function 006650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00665186
ShowWindow.USER32(?,00000000), ref: 006651C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006651CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006651D1

Part of subcall function 00666FBA: DeleteObject.GDI32(00000000), ref: 00666FE6

GetWindowLongW.USER32(?,000000F0), ref: 0066520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0066521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0066524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00665287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00665296

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: b7184de68763ee9f71cc4f73340afeeaa74d2f48b6fa0fdecac350874824bfb7
Instruction ID: 0f6292cd71d43d5d57f5cbdf776271935f4cce90c830645b9c95a2fb3a169222
Opcode Fuzzy Hash: b7184de68763ee9f71cc4f73340afeeaa74d2f48b6fa0fdecac350874824bfb7
Instruction Fuzzy Hash: F451D370A50A09BFEF209F25CC5BBD97B6BFB06320F144012F616963E0C3B5AA90DB51

Function 005E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00626890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00626901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0062691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0062692D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e76c088c221df7f154a164e809b622347962c04480cdfb56cce4300c6e9b0804
Instruction ID: b1534bdf575b333ed3ef6dbe8d43f5104f3f3c5d2dbef71a4c8b95d11cbf1c0c
Opcode Fuzzy Hash: e76c088c221df7f154a164e809b622347962c04480cdfb56cce4300c6e9b0804
Instruction Fuzzy Hash: 89519B70A00A09EFDB24DF25DC55BBA7BBAFB44360F104518F996972A0DBB0E990DF50

Function 0064C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0064C182
GetLastError.KERNEL32 ref: 0064C195
SetEvent.KERNEL32(?), ref: 0064C1A9

Part of subcall function 0064C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064C272
Part of subcall function 0064C253: GetLastError.KERNEL32 ref: 0064C322
Part of subcall function 0064C253: SetEvent.KERNEL32(?), ref: 0064C336
Part of subcall function 0064C253: InternetCloseHandle.WININET(00000000), ref: 0064C341

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 97a99c1f1e2b933b6b4453723b468182dc5b91018e331e3253eb33441718b073
Instruction ID: 815e09d4c6fb642dc824b29216ce790dafca816c4c382452e62a6c3efc6473bc
Opcode Fuzzy Hash: 97a99c1f1e2b933b6b4453723b468182dc5b91018e331e3253eb33441718b073
Instruction Fuzzy Hash: 4C31AF71202A41AFDB619FB5DC04AB7BBFAFF18320B00442DF99683720D7B1E9149B60

Function 006325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00632601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00632605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0063260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00632623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00632627

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c3e99a4757f0309f3e4b076d5f1779d2f041d1d984f573f563204ba82770d9bd
Instruction ID: 0904cc804aeaf34d170005ce9980b9601eca4e19e89337dbd1d469902f9139fd
Opcode Fuzzy Hash: c3e99a4757f0309f3e4b076d5f1779d2f041d1d984f573f563204ba82770d9bd
Instruction Fuzzy Hash: F801D430390620BBFB107768DC8AF697F5ADF4EB22F101005F358AE1E1C9E224449AAD

Function 00631803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00631449,?,?,00000000), ref: 0063180C
HeapAlloc.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 00631813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00631449,?,?,00000000), ref: 00631828
GetCurrentProcess.KERNEL32(?,00000000,?,00631449,?,?,00000000), ref: 00631830
DuplicateHandle.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 00631833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00631449,?,?,00000000), ref: 00631843
GetCurrentProcess.KERNEL32(00631449,00000000,?,00631449,?,?,00000000), ref: 0063184B
DuplicateHandle.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 0063184E
CreateThread.KERNEL32(00000000,00000000,00631874,00000000,00000000,00000000), ref: 00631868

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 72f453b8f28487469c631f718bad289312bc33fc8cbe9bccfed639d0a269c31f
Instruction ID: 3f5251d1d2d6fa9ec6c5f79e71afa8073d3befdad6d0ff869fda58354c4dce0e
Opcode Fuzzy Hash: 72f453b8f28487469c631f718bad289312bc33fc8cbe9bccfed639d0a269c31f
Instruction Fuzzy Hash: 2C01BF75240744BFE710AB66DC4DF677B6DEB8AB11F015411FA45DB191C6B19800CB70

Function 00603E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00603F0B
__alldvrm.LIBCMT ref: 0060410C
__alldvrm.LIBCMT ref: 0060412E

Strings

}}_, xrefs: 00603E8A
}}_, xrefs: 00603E96, 00603EF1, 00603F0A, 00604090
}}_, xrefs: 006040CD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}_$}}_$}}_
API String ID: 1036877536-523058529
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 46b56c40f671f87a9ae0299cb8b61a8d823264d4a836dc71a7ec99e6fe6e8a6f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 5BA136B1D802969FD7298F18C8917BBBBA6EF62350F1841ADE6859B3C1CA748981C750

Function 0065A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0063D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0063D501
Part of subcall function 0063D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0063D50F
Part of subcall function 0063D4DC: CloseHandle.KERNELBASE(00000000), ref: 0063D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065A16D
GetLastError.KERNEL32 ref: 0065A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0065A268
GetLastError.KERNEL32(00000000), ref: 0065A273
CloseHandle.KERNEL32(00000000), ref: 0065A2C4

Strings

SeDebugPrivilege, xrefs: 0065A18F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2748c826f83d8f6a8e1d2892b86e058676223dcee2da2d9118328eb9bbd9da7b
Instruction ID: bf6c5d43c8ee21a2373118a232c190e429e819f6775f3a2a152dc8d32a002c77
Opcode Fuzzy Hash: 2748c826f83d8f6a8e1d2892b86e058676223dcee2da2d9118328eb9bbd9da7b
Instruction Fuzzy Hash: 8661D2302046429FD720DF58C495F65BBE2AF44318F18858DE8568F7A3C772ED4ACB92

Function 00663886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00663925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0066393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00663954
_wcslen.LIBCMT ref: 00663999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006639F4

Strings

SysListView32, xrefs: 006638F7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c46bf5a31997b954892b54f284157415ced305eb64a3966ad0169ec524b0ac6d
Instruction ID: 1b063f4dd4a6850800b7b32d94a1f9a5663eb7df50319cae4b11b00a2d380972
Opcode Fuzzy Hash: c46bf5a31997b954892b54f284157415ced305eb64a3966ad0169ec524b0ac6d
Instruction Fuzzy Hash: 7A419671A00219ABDF219F64CC49FEA7BAAFF48350F10052AF558E7381D7B59D80CB94

Function 0063BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0063BCFD
IsMenu.USER32(00000000), ref: 0063BD1D
CreatePopupMenu.USER32 ref: 0063BD53
GetMenuItemCount.USER32(018E57B8), ref: 0063BDA4
InsertMenuItemW.USER32(018E57B8,?,00000001,00000030), ref: 0063BDCC

Strings

0, xrefs: 0063BCA8
2, xrefs: 0063BD37

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c6744da1632def50c51612f8b47dbc7924480e5607b454becbe692e951432f0d
Instruction ID: 6f515f744df3bbc0cc85951e5b893ac5acd14c2f592daf820fd542454f8a80fe
Opcode Fuzzy Hash: c6744da1632def50c51612f8b47dbc7924480e5607b454becbe692e951432f0d
Instruction Fuzzy Hash: D751AF70A002099BDF20DFA8D884BEEBBF6BF45324F146159E651E7391D7709941CBA1

Function 005F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005F2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 005F2D53
_ValidateLocalCookies.LIBCMT ref: 005F2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 005F2E0C
_ValidateLocalCookies.LIBCMT ref: 005F2E61

Strings

csm, xrefs: 005F2DF6
&H_, xrefs: 005F2DFE, 005F2E07, 005F2E18

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H_$csm
API String ID: 1170836740-4263142645
Opcode ID: ed42c63b08778af9c82b708a3ed9116dce9c86e1e3c3dbe731a40205c93cc977
Instruction ID: 9141ff5196133bf16a7e57f45c92cb4b7ba2c9bd8752fba5ac7c59d45926c66d
Opcode Fuzzy Hash: ed42c63b08778af9c82b708a3ed9116dce9c86e1e3c3dbe731a40205c93cc977
Instruction Fuzzy Hash: C841B374A0020DABCF14DF68C845ABEBFB5BF85324F148155EA14AB392D7399E02CB90

Function 0063C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0063C913

Strings

stop, xrefs: 0063C8E4
question, xrefs: 0063C8CC
info, xrefs: 0063C8B4
warning, xrefs: 0063C8FC
blank, xrefs: 0063C895

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 97cbc55fb2942a61284626a910b9c6d0ff512f61a8260dd2e12aaf215db81bce
Instruction ID: 0c6326e87ceac194363477dad31ebc8a6e6e1ac16b56b4573245564e4c2de26c
Opcode Fuzzy Hash: 97cbc55fb2942a61284626a910b9c6d0ff512f61a8260dd2e12aaf215db81bce
Instruction Fuzzy Hash: E6112B3268930BBAEB009B54DC82DEB7B9EDF15334F11006AF504BA2C2D7B46F4057A4

Function 0063DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0063DE42
gethostname.WSOCK32(?,00000100), ref: 0063DE5C
gethostbyname.WSOCK32(?), ref: 0063DE69
inet_ntoa.WSOCK32(?), ref: 0063DEAB
_strcat.LIBCMT ref: 0063DEB9
WSACleanup.WSOCK32 ref: 0063DEDE

Strings

0.0.0.0, xrefs: 0063DE87

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1a04148edf31b97a51cc99cea924affc2ae751d59a55f53e2f97bef2af6c3ab0
Instruction ID: f9eb1193715ef5e5d1433ea199556c671deb4fef15a22b461ba39edbf99aa98f
Opcode Fuzzy Hash: 1a04148edf31b97a51cc99cea924affc2ae751d59a55f53e2f97bef2af6c3ab0
Instruction Fuzzy Hash: B0112C71904119AFCB207B20EC0ADFF7FBEEF50720F050169F54596191EFB59A818AA0

Function 00669F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

GetSystemMetrics.USER32(0000000F), ref: 00669FC7
GetSystemMetrics.USER32(0000000F), ref: 00669FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0066A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0066A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0066A263
ShowWindow.USER32(00000003,00000000), ref: 0066A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0066A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0066A2CA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 1577ac27c53501c947f407b929f6dc67596ccbbe809b8ce2d34898c2168df63f
Instruction ID: a3bcceb6c35dcf771b7d00d94259b4047b5862e3b56a5c25c3191c1af2630621
Opcode Fuzzy Hash: 1577ac27c53501c947f407b929f6dc67596ccbbe809b8ce2d34898c2168df63f
Instruction Fuzzy Hash: 41B1B731600215ABCF14CFA8C9957FE7BB2FF45701F088069EC89AB295D731AA40CF61

Function 0063ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0063ED2A
_wcslen.LIBCMT ref: 0063ED3B
_wcslen.LIBCMT ref: 0063ED79
_wcslen.LIBCMT ref: 0063EDAF
_wcslen.LIBCMT ref: 0063EDDF
_wcslen.LIBCMT ref: 0063EDEF
_wcslen.LIBCMT ref: 0063EE2B
_wcslen.LIBCMT ref: 0063EE5A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 624077caa4f46c24b695e828190bd3dd4f9832442a63aaf8a835c026755f1eba
Instruction ID: db8877e9271e4a09b3418a43392877701a6f4074f6bc6d7bff16a1668814fcc9
Opcode Fuzzy Hash: 624077caa4f46c24b695e828190bd3dd4f9832442a63aaf8a835c026755f1eba
Instruction Fuzzy Hash: 4C41D069C0021D75CB10EBB4888E9DFBBB9BF85700F008466E618E3161FB38E241C3E5

Function 005EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 005EF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0062F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0062F454

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f029eada80fb4e1a5369ff2477d86b1ba212b01ff9a5bc5898f545380791ba17
Instruction ID: 1d6c52a973114ee2cc03724244e2e594f7a16fda366064af8acb072902786939
Opcode Fuzzy Hash: f029eada80fb4e1a5369ff2477d86b1ba212b01ff9a5bc5898f545380791ba17
Instruction Fuzzy Hash: 5841F931508AC0BAC73D9B2AD89877A7FA3BB56320F15543DE0C7D6562CE71A880CF51

Function 00662D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00662D1B
GetDC.USER32(00000000), ref: 00662D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00662D2E
ReleaseDC.USER32(00000000,00000000), ref: 00662D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00662D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00662D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00665A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00662DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00662DE1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 96a7dbec3cdc5b53510bdab8de87a4b700476c50ba2e16f88fae0deac07df625
Instruction ID: 7027aa665aaafc881097522dec8ebea18e5ab7f8ccf0bdec9ea0029a54f5684d
Opcode Fuzzy Hash: 96a7dbec3cdc5b53510bdab8de87a4b700476c50ba2e16f88fae0deac07df625
Instruction Fuzzy Hash: FF316B72201A54BBEB118F50CC8AFFB3BAAEF09725F045055FE48DA291C6B59C50CBA4

Function 00635622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00635637
_memcmp.LIBVCRUNTIME ref: 00635659
_memcmp.LIBVCRUNTIME ref: 00635671
_memcmp.LIBVCRUNTIME ref: 00635684
_memcmp.LIBVCRUNTIME ref: 0063569E
_memcmp.LIBVCRUNTIME ref: 006356B1
_memcmp.LIBVCRUNTIME ref: 006356C9
_memcmp.LIBVCRUNTIME ref: 006356E4

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4cdaf7aa333f1d5a95103372e5773d8869a18ef190998c82a42b92b4c15ce6f1
Instruction ID: 88bfbd1ba3f2ef85bea777d47250ff4ee33099fd916670bc4a0081d5a0b68a1e
Opcode Fuzzy Hash: 4cdaf7aa333f1d5a95103372e5773d8869a18ef190998c82a42b92b4c15ce6f1
Instruction Fuzzy Hash: C921C5B1644E0AB7D21456209D93FFB235FAF62384F850420FE079B691F725ED11C1E9

Function 00654FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00655007
NULL Pointer assignment, xrefs: 0065502E, 00655383

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 286f1853dc506a1e0a9d30410c9f2f5bc66359cb3bc5238246d3b666324f5e0b
Instruction ID: fc5d930ff26a4b2f75c0d0aa2d4d4deec3f46a1cab42d899609ba02c801a7a93
Opcode Fuzzy Hash: 286f1853dc506a1e0a9d30410c9f2f5bc66359cb3bc5238246d3b666324f5e0b
Instruction Fuzzy Hash: 5ED1C271A0060A9FDF10CF98C895BEEB7B6BF48355F148069E916AB380E771DD49CB90

Function 00611522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 006115CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00611651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006116E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006116FB

Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00611777
__freea.LIBCMT ref: 006117A2
__freea.LIBCMT ref: 006117AE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b75f48e45a75d24729a0b7fa591b12ba62e75b77fdb14ec279c24783261a7b68
Instruction ID: 1ae64228f69ea94145ec1c10e95eca12e64be0f845505b686e0ee145724be94a
Opcode Fuzzy Hash: b75f48e45a75d24729a0b7fa591b12ba62e75b77fdb14ec279c24783261a7b68
Instruction Fuzzy Hash: 6E91A4B1E002169ADF248E74C851AEEBBB79F4A310F1C4659EA01EF391D735DD81C7A0

Function 00654523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00654648
VariantInit.OLEAUT32(?), ref: 00654749
VariantClear.OLEAUT32(?), ref: 00654753
VariantClear.OLEAUT32(?), ref: 006547B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006545D8, 00654706, 006547BE
Incorrect Object type in FOR..IN loop, xrefs: 0065472C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 490401b8f4b1e13fa46ae52014c560d5f8dd3dfee3c48d1c544a76567974f33d
Instruction ID: 18dc580a4945ba32eac89601a2237c15c383ce908f9ed767edbed9874a62ef0c
Opcode Fuzzy Hash: 490401b8f4b1e13fa46ae52014c560d5f8dd3dfee3c48d1c544a76567974f33d
Instruction Fuzzy Hash: 85918471A00215ABDF24CFA5C844FEE7BBAEF45715F108599F905AB280DB709989CFA0

Function 00641187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0064125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00641284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0064135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00641430

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8a833668e16c0370e5c18e62280467a530f93a05f71ce6f898f482ea00f4e302
Instruction ID: a7012340d8a6f634200d43cb116d6ada5aa1a2a16b4fbac0fae1a2460c64138a
Opcode Fuzzy Hash: 8a833668e16c0370e5c18e62280467a530f93a05f71ce6f898f482ea00f4e302
Instruction Fuzzy Hash: 3B91D375A002199FDB01DF98C885BFEB7F6FF46325F144029E540EB291D7B4A981CB94

Function 005E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 743f8843ca9a2c921c92c0637bb133ff3b13d9ace2a7ffa04c0c98a5fa9cb778
Instruction ID: 2c0222e228939eb3eed1f48f2af99689ed62d354bdd2d7a0091f6280e357d384
Opcode Fuzzy Hash: 743f8843ca9a2c921c92c0637bb133ff3b13d9ace2a7ffa04c0c98a5fa9cb778
Instruction Fuzzy Hash: F5913671D0025AEFCB14CFA9C888AEEBFB9FF88320F144446E555B7251D275AA41CBA0

Function 00653947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065396B
CharUpperBuffW.USER32(?,?), ref: 00653A7A
_wcslen.LIBCMT ref: 00653A8A
VariantClear.OLEAUT32(?), ref: 00653C1F

Part of subcall function 00640CDF: VariantInit.OLEAUT32(00000000), ref: 00640D1F
Part of subcall function 00640CDF: VariantCopy.OLEAUT32(?,?), ref: 00640D28
Part of subcall function 00640CDF: VariantClear.OLEAUT32(?), ref: 00640D34

Strings

AUTOIT.ERROR, xrefs: 00653A80, 00653A85
Incorrect Parameter format, xrefs: 006539A6, 00653BA1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f7ef8fd0da9c5100a71f4073f9b59fa61121cc1b15b7db290cf4da81c6c25096
Instruction ID: 2d8243f4e40720f9f156b10150ac1f0f202c348214d09616bc49f808511ef112
Opcode Fuzzy Hash: f7ef8fd0da9c5100a71f4073f9b59fa61121cc1b15b7db290cf4da81c6c25096
Instruction Fuzzy Hash: C2919D746083059FC714DF28C48486ABBE6FF88755F04892EF8898B351DB31EE09CB92

Function 00654BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0063000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?,?,0063035E), ref: 0063002B
Part of subcall function 0063000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630046
Part of subcall function 0063000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630054
Part of subcall function 0063000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?), ref: 00630064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00654C51
_wcslen.LIBCMT ref: 00654D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00654DCF
CoTaskMemFree.OLE32(?), ref: 00654DDA

Strings

NULL Pointer assignment, xrefs: 00654E23, 00654E52

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 03f951388b3916c494d3beca379a2b0b0bea69dd1704f032df58a8e888948aa6
Instruction ID: 2620334fe04639bd465e6382871a0126529c4807b3ce8e84fd85c7b7e064969d
Opcode Fuzzy Hash: 03f951388b3916c494d3beca379a2b0b0bea69dd1704f032df58a8e888948aa6
Instruction Fuzzy Hash: 94914971D0021DAFDF24DFA4D895AEEBBB9BF48314F10416AE915A7241DB309E49CFA0

Function 006620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00662183
GetMenuItemCount.USER32(00000000), ref: 006621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006621DD
_wcslen.LIBCMT ref: 00662213
GetMenuItemID.USER32(?,?), ref: 0066224D
GetSubMenu.USER32(?,?), ref: 0066225B

Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006622E3

Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c05b3fefba5993f6879a2b2d7da23e57e75411fc9fe7b89580498e8b60ac4999
Instruction ID: aa57f621f6c066d5ee869b0de1ed9e4a5c652c73581809ed2522e4baaf15b14b
Opcode Fuzzy Hash: c05b3fefba5993f6879a2b2d7da23e57e75411fc9fe7b89580498e8b60ac4999
Instruction Fuzzy Hash: 04718275E00606AFCB10DF64C855AAEBBF6FF88320F148459E956EB341D774EE418B90

Function 00667E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018E5538), ref: 00667F37
IsWindowEnabled.USER32(018E5538), ref: 00667F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0066801E
SendMessageW.USER32(018E5538,000000B0,?,?), ref: 00668051
IsDlgButtonChecked.USER32(?,?), ref: 00668089
GetWindowLongW.USER32(018E5538,000000EC), ref: 006680AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006680C3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3ef718b5b10b87b7357643eca148380502a59461ec90bf9fe2ad6ba5f18801bd
Instruction ID: cfc8d19d089f77893300587d8bbad5df36fcbc22d8440b03b01ffb258e13091f
Opcode Fuzzy Hash: 3ef718b5b10b87b7357643eca148380502a59461ec90bf9fe2ad6ba5f18801bd
Instruction Fuzzy Hash: A071BD34608245AFEB219F64CC94FFABBBBEF4A304F144499F98597361CB71A845CB20

Function 0063AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0063AEF9
GetKeyboardState.USER32(?), ref: 0063AF0E
SetKeyboardState.USER32(?), ref: 0063AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0063AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0063AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0063AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0063B020

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b59f66234a13ebff61d0200ea54752cda9b2994ba01e1a75b44f2225766b9ab
Instruction ID: 9ed5f08e0dd6e1ac1d09483020db6aeb240023d74cf91f84684dd43b41116077
Opcode Fuzzy Hash: 3b59f66234a13ebff61d0200ea54752cda9b2994ba01e1a75b44f2225766b9ab
Instruction Fuzzy Hash: D151D0A06046D53DFB364274CC45BFBBEAA5B06304F08958DE2D9999C2C3D8A8C8E791

Function 0063ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0063AD19
GetKeyboardState.USER32(?), ref: 0063AD2E
SetKeyboardState.USER32(?), ref: 0063AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0063ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0063ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0063AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0063AE38

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a397d1908220d58d4c90a1084905ceed6e1daf086ba55738288a047b86c2ef8d
Instruction ID: 3612924afc21cb8f74daeb7c110089362c1b330a09b457ecd0ced91c941976b5
Opcode Fuzzy Hash: a397d1908220d58d4c90a1084905ceed6e1daf086ba55738288a047b86c2ef8d
Instruction Fuzzy Hash: 0651D4B16047D53DFB3683B4CC55BBA7EAA5F46300F088588E1D54A9C2D294ED88F7E2

Function 0060542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00613CD6,?,?,?,?,?,?,?,?,00605BA3,?,?,00613CD6,?,?), ref: 00605470
__fassign.LIBCMT ref: 006054EB
__fassign.LIBCMT ref: 00605506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00613CD6,00000005,00000000,00000000), ref: 0060552C
WriteFile.KERNEL32(?,00613CD6,00000000,00605BA3,00000000,?,?,?,?,?,?,?,?,?,00605BA3,?), ref: 0060554B
WriteFile.KERNEL32(?,?,00000001,00605BA3,00000000,?,?,?,?,?,?,?,?,?,00605BA3,?), ref: 00605584

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3583c4418a844214423aa3c6d6d974fd5d2cfafdabe249e6cc4a2daf79bb2dc3
Instruction ID: 1ac741aea1acae8a48eafcfb1596d3b384a42c46ab89f9657dc4abec43d48c12
Opcode Fuzzy Hash: 3583c4418a844214423aa3c6d6d974fd5d2cfafdabe249e6cc4a2daf79bb2dc3
Instruction Fuzzy Hash: F651C070A006499FDB15CFA8DC45AEFBBFAEF09300F14455AE956E7291E730AA41CF60

Function 006510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0065304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0065307A
Part of subcall function 0065304E: _wcslen.LIBCMT ref: 0065309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00651112
WSAGetLastError.WSOCK32 ref: 00651121
WSAGetLastError.WSOCK32 ref: 006511C9
closesocket.WSOCK32(00000000), ref: 006511F9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3ee3f0821d4aa422fcc167a86a03ad970e025b26fb48c1ee892f8cf9521627c9
Instruction ID: b96ae978a3731c92d57ccd551218f53b11690bb495e791fbe499184517b3aea6
Opcode Fuzzy Hash: 3ee3f0821d4aa422fcc167a86a03ad970e025b26fb48c1ee892f8cf9521627c9
Instruction Fuzzy Hash: 1A41E231200A05AFDB209F24C884BE9BBAAFF85325F14809AFD459F391C774AD45CBA0

Function 0063CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0063CF22,?), ref: 0063DDFD

Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0063CF22,?), ref: 0063DE16

lstrcmpiW.KERNEL32(?,?), ref: 0063CF45
MoveFileW.KERNEL32(?,?), ref: 0063CF7F
_wcslen.LIBCMT ref: 0063D005
_wcslen.LIBCMT ref: 0063D01B
SHFileOperationW.SHELL32(?), ref: 0063D061

Strings

\*.*, xrefs: 0063CFF3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c19cbae229a2243a985d9074e951009087e2c2ec1cbe6897e0187ea3f22caa52
Instruction ID: 170ae0a93c41b8ba0ff475ccd7b71f069a6652e05524a1bb57bd4d0a6c18da5e
Opcode Fuzzy Hash: c19cbae229a2243a985d9074e951009087e2c2ec1cbe6897e0187ea3f22caa52
Instruction Fuzzy Hash: 0F415775D452195FDF12EFA4D985AEEB7BAAF44340F0000EAE505EB241EB34A685CF90

Function 00662DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00662E1C
GetWindowLongW.USER32(?,000000F0), ref: 00662E4F
GetWindowLongW.USER32(?,000000F0), ref: 00662E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00662EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00662EE0
GetWindowLongW.USER32(?,000000F0), ref: 00662EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00662F0B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 27f7186bf049e7bf18a36f22872fe7d23367088a82cc46e9b6593c3be652f677
Instruction ID: 16d2e1828092397ec0e5d10790f19f61bcad6a58db12af7a81f42f37dee1f1a6
Opcode Fuzzy Hash: 27f7186bf049e7bf18a36f22872fe7d23367088a82cc46e9b6593c3be652f677
Instruction Fuzzy Hash: 6E3115306449429FDB20DF59DC94FA537E2FB5A720F1411A5FA50CF2B1CBB2A840DB41

Function 00637726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063778F
SysAllocString.OLEAUT32(00000000), ref: 00637792
SysAllocString.OLEAUT32(?), ref: 006377B0
SysFreeString.OLEAUT32(?), ref: 006377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006377DE
SysAllocString.OLEAUT32(?), ref: 006377EC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 57b7d116ec9057c9c6d6c3d5123d71481e82a60eca69f923c927916f1a5ea5d3
Instruction ID: 3609eac1b4b0ed9e08d80d7cd02bffb316af1f769f601687c37c6bd7dce0b47f
Opcode Fuzzy Hash: 57b7d116ec9057c9c6d6c3d5123d71481e82a60eca69f923c927916f1a5ea5d3
Instruction Fuzzy Hash: 522192B6608619AFDB20DFA9CC88CFB77EEEB09764B048025F955DB250DA70DC41C7A0

Function 006377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637868
SysAllocString.OLEAUT32(00000000), ref: 0063786B
SysAllocString.OLEAUT32 ref: 0063788C
SysFreeString.OLEAUT32 ref: 00637895
StringFromGUID2.OLE32(?,?,00000028), ref: 006378AF
SysAllocString.OLEAUT32(?), ref: 006378BD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9ded8c51075c4ad0443cf8c4cb4d9ee95fe648ab68cc03da59b23dabeb2ecb15
Instruction ID: 7fef09dd6ef4e9b0ebfe89e453f3c8ee4e0ebe390914db6a3561256f9a619208
Opcode Fuzzy Hash: 9ded8c51075c4ad0443cf8c4cb4d9ee95fe648ab68cc03da59b23dabeb2ecb15
Instruction Fuzzy Hash: E021A171608605AFDB209FA9DC8CDBA77EDEB09360B108135F955DB2A1DA70EC41CBA4

Function 006404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0064052E

Strings

nul, xrefs: 00640567

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5af24e4926f43861b8bd3301fa40e19e6e2d3279819094787c14456840e4f69d
Instruction ID: e04efa2128c2032bc3d1a05d1f263f650753f118878d02ca2c5c393369d9e272
Opcode Fuzzy Hash: 5af24e4926f43861b8bd3301fa40e19e6e2d3279819094787c14456840e4f69d
Instruction Fuzzy Hash: 7F217475500315DFEF249F29DD44A9A7BB6EF45724F204A19F9A1D72E0D7709940CF20

Function 006405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00640601

Strings

nul, xrefs: 00640639

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 63fe67f39758443406763b58b756d1b4ff1ffad03f4f87469c53735482f83915
Instruction ID: 83c116931461905c17f8076d07d72e208536a70155cb1d246d2b87074db86764
Opcode Fuzzy Hash: 63fe67f39758443406763b58b756d1b4ff1ffad03f4f87469c53735482f83915
Instruction Fuzzy Hash: 402197755003259BEB209F69CC04A9A77EABF95730F214A1DFEA2E73D0D7B09951CB10

Function 006640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
Part of subcall function 005D600E: GetStockObject.GDI32(00000011), ref: 005D6060
Part of subcall function 005D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00664112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0066411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0066412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00664139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00664145

Strings

Msctls_Progress32, xrefs: 006640E3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 4f76691034b8dffd1f9910b86d403f20d6c31d8cb0c8bd8f366551886ef3a8f0
Instruction ID: 1d53ac64e09bfd8a871272263e365bc18d40372202dc3001e166a5fd5848e1ec
Opcode Fuzzy Hash: 4f76691034b8dffd1f9910b86d403f20d6c31d8cb0c8bd8f366551886ef3a8f0
Instruction Fuzzy Hash: E611E2B214021ABEEF109F64CC85EE77F6EEF093A8F004111FB18A2150CA729C61DBA4

Function 0060D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060D7A3: _free.LIBCMT ref: 0060D7CC

_free.LIBCMT ref: 0060D82D

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

_free.LIBCMT ref: 0060D838
_free.LIBCMT ref: 0060D843
_free.LIBCMT ref: 0060D897
_free.LIBCMT ref: 0060D8A2
_free.LIBCMT ref: 0060D8AD
_free.LIBCMT ref: 0060D8B8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bf27d3cbd510fc234f9994b3cced58e768c10a32bcf6446aed7618c98acfa097
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 64117C715C0B04AAD6A5BFF0CC0BFCB7BDEAF40B00F400D2DB299A60D2DA24F5058664

Function 0063DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0063DA74
LoadStringW.USER32(00000000), ref: 0063DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0063DA91
LoadStringW.USER32(00000000), ref: 0063DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0063DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0063DAB9

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bf33f5f70902ecd5535666be63bbea8909d3a31e95eec132eb31a5c00435eea2
Instruction ID: 484ec9bd4489a6691f71381fe4b35005236d3f33a14996bfcdeb9c25d6d64121
Opcode Fuzzy Hash: bf33f5f70902ecd5535666be63bbea8909d3a31e95eec132eb31a5c00435eea2
Instruction Fuzzy Hash: 960186F29002087FE7109BA4DD89EF7776DEB08711F405496F746E2141E6B49E844FB4

Function 0064096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018DE170,018DE170), ref: 0064097B
EnterCriticalSection.KERNEL32(018DE150,00000000), ref: 0064098D
TerminateThread.KERNEL32(?,000001F6), ref: 0064099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 006409A9
CloseHandle.KERNEL32(?), ref: 006409B8
InterlockedExchange.KERNEL32(018DE170,000001F6), ref: 006409C8
LeaveCriticalSection.KERNEL32(018DE150), ref: 006409CF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 497ad5f7bddf3a3a0d8e786f9a9853f717a71ee28fec9b1868fcab2ec373029b
Instruction ID: 4973f09f1d9045aaadd52d7c2e3e4aad88ef2507802fdf21625e10aee5af7b5a
Opcode Fuzzy Hash: 497ad5f7bddf3a3a0d8e786f9a9853f717a71ee28fec9b1868fcab2ec373029b
Instruction Fuzzy Hash: 9DF03131442D12BBE7415FA5EE9CBE6BB3AFF01712F403015F241508A0C7B5A565DFA0

Function 005D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 005D5D30
GetWindowRect.USER32(?,?), ref: 005D5D71
ScreenToClient.USER32(?,?), ref: 005D5D99
GetClientRect.USER32(?,?), ref: 005D5ED7
GetWindowRect.USER32(?,?), ref: 005D5EF8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3871e767b1b5ffa8c9b788442a2b55c4855580f0d3ed6f22fd6ebd2719628acf
Instruction ID: bf313332a5bba7405f9eed88eaa6eab35adb7ccc793fe90d86048a225cbdbc90
Opcode Fuzzy Hash: 3871e767b1b5ffa8c9b788442a2b55c4855580f0d3ed6f22fd6ebd2719628acf
Instruction Fuzzy Hash: E9B16B34A0064ADBDB20DFA9C4407EABBF6FF54310F14991AE8A9D7350EB30AA51DB54

Function 006001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006000D6
__allrem.LIBCMT ref: 006000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0060010B
__allrem.LIBCMT ref: 00600122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00600140

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 75884bab3b8c0e8edf4ec04036ed9f4b2f71239090f7065925f4a2141c12f4ba
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: DB813772A40B069FE7289F68CC41BAB77EAAF41324F24453EF611D76C1E774D9408B94

Function 00651D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00653149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0065101C,00000000,?,?,00000000), ref: 00653195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00651DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00651DE1
WSAGetLastError.WSOCK32 ref: 00651DF2
inet_ntoa.WSOCK32(?), ref: 00651E8C
htons.WSOCK32(?,?,?,?,?), ref: 00651EDB
_strlen.LIBCMT ref: 00651F35

Part of subcall function 006339E8: _strlen.LIBCMT ref: 006339F2

Part of subcall function 005D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,005ECF58,?,?,?), ref: 005D6DBA
Part of subcall function 005D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,005ECF58,?,?,?), ref: 005D6DED

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 93443d6c7d20a4ad7f59b57b4560f3b633625acd56010e665484ae7de39b9c17
Instruction ID: 347eec37b2c0782eae0395a57b13655ef2484e8f09c44a6bd3416e1fa579609d
Opcode Fuzzy Hash: 93443d6c7d20a4ad7f59b57b4560f3b633625acd56010e665484ae7de39b9c17
Instruction Fuzzy Hash: DAA1AD30204341AFC324DB24C895F6A7BE6AF85318F54894DF8965F3A2DB71ED4ACB91

Function 006061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005F82D9,005F82D9,?,?,?,0060644F,00000001,00000001,8BE85006), ref: 00606258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0060644F,00000001,00000001,8BE85006,?,?,?), ref: 006062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006063D8
__freea.LIBCMT ref: 006063E5

Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852

__freea.LIBCMT ref: 006063EE
__freea.LIBCMT ref: 00606413

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 21d3b4a9e16cebaeb8eedf801d85fff8d9a64886020311cb7ef4e77e57a8ef20
Instruction ID: 6d2943e95dfc5038bc7e044ba294043cd2c4d1d3a3885e5c0ad3ae736adde8fe
Opcode Fuzzy Hash: 21d3b4a9e16cebaeb8eedf801d85fff8d9a64886020311cb7ef4e77e57a8ef20
Instruction Fuzzy Hash: FF51B072640216ABDB2D8F64CC81EEF77ABEF44750F144629F805DA2C0EB34DD61C6A0

Function 0065BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065BD25
RegCloseKey.ADVAPI32(00000000), ref: 0065BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0065BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0065BDF3
RegCloseKey.ADVAPI32(?), ref: 0065BDFF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: cd9b962c8970d12f13a8d8c2bd78ae58deb400e2fde22cfae1bcb9f3020be223
Instruction ID: 90717f580070b5087ecc495569b5793ab5a77f6dd27b7b05b68a0a3dcbd5b646
Opcode Fuzzy Hash: cd9b962c8970d12f13a8d8c2bd78ae58deb400e2fde22cfae1bcb9f3020be223
Instruction Fuzzy Hash: BA818E30208241AFD714DF24C895E6ABBF6FF84348F14955DF8954B2A2DB32ED49CB92

Function 0062F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0062F7B9
SysAllocString.OLEAUT32(00000001), ref: 0062F860
VariantCopy.OLEAUT32(0062FA64,00000000), ref: 0062F889
VariantClear.OLEAUT32(0062FA64), ref: 0062F8AD
VariantCopy.OLEAUT32(0062FA64,00000000), ref: 0062F8B1
VariantClear.OLEAUT32(?), ref: 0062F8BB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 21e0b1a3b3cb36ec04d793677be265477d68c28c9e79ce1866e19e87497abaa2
Instruction ID: 7bb365b6bc5c4d5e3b1e8e223da07e336485de1b475d1c2ed98d94b2afc7e056
Opcode Fuzzy Hash: 21e0b1a3b3cb36ec04d793677be265477d68c28c9e79ce1866e19e87497abaa2
Instruction Fuzzy Hash: 1E51D431A00721BADF24AB65E895B29B7F6EF45310B20947BE805DF291DB708C81CF97

Function 0064910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006494E5
_wcslen.LIBCMT ref: 00649506
_wcslen.LIBCMT ref: 0064952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00649585

Strings

X, xrefs: 00649412

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 20a407c6d045a39639de2ccd86218b98fe73ddce728fc64031f2ef2f3fde1522
Instruction ID: c637af5dc139c5800561f8cd8a86c7c30feebbb1cbbe201fbd6070cdfbbe775d
Opcode Fuzzy Hash: 20a407c6d045a39639de2ccd86218b98fe73ddce728fc64031f2ef2f3fde1522
Instruction Fuzzy Hash: 31E160316043419FD724DF24C485A6BBBE5BFC5314F14896EE8899B3A2EB31DD05CBA2

Function 005E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

BeginPaint.USER32(?,?,?), ref: 005E9241
GetWindowRect.USER32(?,?), ref: 005E92A5
ScreenToClient.USER32(?,?), ref: 005E92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005E92D3
EndPaint.USER32(?,?,?,?,?), ref: 005E9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006271EA

Part of subcall function 005E9339: BeginPath.GDI32(00000000), ref: 005E9357

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 68cdb164c9f83ba8dbf1b83840145f7f4d40fa02a924c9085a8e98052bbdbaf6
Instruction ID: ccdd1c802e7a99467236d6d3355f9912ba173fbb59ab3c15e8265231a3e1d0a1
Opcode Fuzzy Hash: 68cdb164c9f83ba8dbf1b83840145f7f4d40fa02a924c9085a8e98052bbdbaf6
Instruction Fuzzy Hash: 5C41A170104651AFD711DF25D888FBB7BAAFF4A320F140629F9A48B2E1C7719845DB62

Function 006407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0064080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00640847
EnterCriticalSection.KERNEL32(?), ref: 00640863
LeaveCriticalSection.KERNEL32(?), ref: 006408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00640921

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3d7fc8252392320e7ba0f41bce1e8aabbcdc0f066439f0396f08213ee0996364
Instruction ID: 6df339346e293e0c8aeef1eec79c714b72b66a29d8b8ea8b10907594a653c0b1
Opcode Fuzzy Hash: 3d7fc8252392320e7ba0f41bce1e8aabbcdc0f066439f0396f08213ee0996364
Instruction Fuzzy Hash: 1F417E71900205EFEF149F55DC85AAA7B7AFF44310F1440A5EE009E297DB70EE60DBA0

Function 006681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0062F3AB,00000000,?,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0066824C
EnableWindow.USER32(?,00000000), ref: 00668272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006682D1
ShowWindow.USER32(?,00000004), ref: 006682E5
EnableWindow.USER32(?,00000001), ref: 0066830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0066832F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4327852f2f147358dfe4da34a10242dde631cb513f9fe01affa4153dcfd40f13
Instruction ID: ca258019e13cc1bcd160fc87b0a34c4b1a59a88d5ee1cf69eaa9e23fa111438e
Opcode Fuzzy Hash: 4327852f2f147358dfe4da34a10242dde631cb513f9fe01affa4153dcfd40f13
Instruction Fuzzy Hash: BF41D230601640AFDB21CF25C8A9BE47BE7BB0A714F1813A9E5485F3A2CB31A941CF80

Function 00634C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00634C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00634CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00634CEA
_wcslen.LIBCMT ref: 00634D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00634D10
_wcsstr.LIBVCRUNTIME ref: 00634D1A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3487a6037b400388795c3d8105120ccfa3d284985df16f05dbcca7315d042ed7
Instruction ID: 5833e26f9e1cd936dd1ad0120a19210ec5c99c8db774520a34d3e7bfb2b56c7d
Opcode Fuzzy Hash: 3487a6037b400388795c3d8105120ccfa3d284985df16f05dbcca7315d042ed7
Instruction Fuzzy Hash: 0A210B716042457BEB155B35EC49E7BBF9EDF45760F108039F805CA291DEA1EC0197E0

Function 0064581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2

_wcslen.LIBCMT ref: 0064587B
CoInitialize.OLE32(00000000), ref: 00645995
CoCreateInstance.OLE32(0066FCF8,00000000,00000001,0066FB68,?), ref: 006459AE
CoUninitialize.OLE32 ref: 006459CC

Strings

.lnk, xrefs: 00645876, 006458C1, 00645985

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fb5dffc7e4ba5ba9260e0c6bd0a38e8228a0341e45b95c98649befef75c91e72
Instruction ID: 9868eee92c850c22dde38ac825a6e70be58184f85113fe46a04434c14769e53b
Opcode Fuzzy Hash: fb5dffc7e4ba5ba9260e0c6bd0a38e8228a0341e45b95c98649befef75c91e72
Instruction Fuzzy Hash: 19D144716087029FC714DF18C49496ABBE6FF89710F14895EF88A9B362DB31EC45CB92

Function 0063175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00630FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00630FCA
Part of subcall function 00630FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00630FD6
Part of subcall function 00630FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00630FE5
Part of subcall function 00630FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00630FEC
Part of subcall function 00630FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00631002

GetLengthSid.ADVAPI32(?,00000000,00631335), ref: 006317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006317BA
HeapAlloc.KERNEL32(00000000), ref: 006317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006317DA
GetProcessHeap.KERNEL32(00000000,00000000,00631335), ref: 006317EE
HeapFree.KERNEL32(00000000), ref: 006317F5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4cdc51e99e0b42724650c36ff13ddc73b7de70071786c1a83f12facb9d5e0a48
Instruction ID: 7160b8d89f6d4ba17aeacc6f1e695f3c2a8be3da307e299e663d51db56f75380
Opcode Fuzzy Hash: 4cdc51e99e0b42724650c36ff13ddc73b7de70071786c1a83f12facb9d5e0a48
Instruction Fuzzy Hash: DA118E31500605FFDB209FA4CC49BFEBBBAEB46365F185018F4819B210D776AA44DBB0

Function 006314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006314FF
OpenProcessToken.ADVAPI32(00000000), ref: 00631506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00631515
CloseHandle.KERNEL32(00000004), ref: 00631520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0063154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00631563

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f84822a28050ca4c807d3a60bd2dd25fcb770817b2eecd91094e4aa4c271f558
Instruction ID: d8cbfc86c92fb98c4d167caf003573862625f480c056da195baf996cbc265de1
Opcode Fuzzy Hash: f84822a28050ca4c807d3a60bd2dd25fcb770817b2eecd91094e4aa4c271f558
Instruction Fuzzy Hash: B611597250020DABDF11CF99DD49FEE7BAAEF49754F045015FA05A6160C3B28E61DBA0

Function 005F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005F3379,005F2FE5), ref: 005F3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F33B7
SetLastError.KERNEL32(00000000,?,005F3379,005F2FE5), ref: 005F3409

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 091e12ad44187e099b3288e40a596ad307235177383963c79f34310353a675ea
Instruction ID: 7e5ce1e1333e9dda63220e6135a432385d4013021dffca34559284ee39dddb89
Opcode Fuzzy Hash: 091e12ad44187e099b3288e40a596ad307235177383963c79f34310353a675ea
Instruction Fuzzy Hash: 3F01243320831ABEFB253B747C9DA372E99FB45379B20062AF710812F0EF5A4D129544

Function 00602D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00605686,00613CD6,?,00000000,?,00605B6A,?,?,?,?,?,005FE6D1,?,00698A48), ref: 00602D78
_free.LIBCMT ref: 00602DAB
_free.LIBCMT ref: 00602DD3
SetLastError.KERNEL32(00000000,?,?,?,?,005FE6D1,?,00698A48,00000010,005D4F4A,?,?,00000000,00613CD6), ref: 00602DE0
SetLastError.KERNEL32(00000000,?,?,?,?,005FE6D1,?,00698A48,00000010,005D4F4A,?,?,00000000,00613CD6), ref: 00602DEC
_abort.LIBCMT ref: 00602DF2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 50ca94614eb54eee734dd28adaaec77e4e7016253e4d6fa79871b4b07b2c831a
Instruction ID: 4287210a165e0f2145913a9b1312458badbdadb4af0f86d4415fd175c56a0bb7
Opcode Fuzzy Hash: 50ca94614eb54eee734dd28adaaec77e4e7016253e4d6fa79871b4b07b2c831a
Instruction Fuzzy Hash: A9F0F9315C490267C75A37396C2EA5B265FAFC1775B21041DF424923D2EE209C015124

Function 00668A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 005E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96A2
Part of subcall function 005E9639: BeginPath.GDI32(?), ref: 005E96B9
Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00668A4E
LineTo.GDI32(?,00000003,00000000), ref: 00668A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00668A70
LineTo.GDI32(?,00000000,00000003), ref: 00668A80
EndPath.GDI32(?), ref: 00668A90
StrokePath.GDI32(?), ref: 00668AA0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bdf2a59db21572abf3f5059dea653c1e9c2b8f8d619fe83c7ec9a2e104be0085
Instruction ID: e980d065ddff0869e5fac97efccf76b94fc4620d73ac69acbe524ffe4de40518
Opcode Fuzzy Hash: bdf2a59db21572abf3f5059dea653c1e9c2b8f8d619fe83c7ec9a2e104be0085
Instruction Fuzzy Hash: 7511CC7600014DFFDF119F94DC48EAA7F6EEB09364F048012FA559A161C7729D55DFA0

Function 006351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00635218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00635229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00635230
ReleaseDC.USER32(00000000,00000000), ref: 00635238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0063524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00635261

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c045e1283cdf79bc20f5b00602b54c727243351bc9bc88674fb179c4ad24f248
Instruction ID: c4a10ce048ac044b2cc8eeef71bd79511d965ebc5b9516b418c403ec1cdf730c
Opcode Fuzzy Hash: c045e1283cdf79bc20f5b00602b54c727243351bc9bc88674fb179c4ad24f248
Instruction Fuzzy Hash: 5201A275E00B18BBEB109BA59C49E5EBFB9EF48361F045066FA05E7380D6B09D00CFA0

Function 005D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 005D1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 005D1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 005D1C22

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d188df23f8f2e2e872af121034a701e529bc129031237d79674b9023a4fc0855
Instruction ID: 2093f156cbcdc0ce0d441b1af84640ddbbb0b8e4f79e6d327769b8c9887c8454
Opcode Fuzzy Hash: d188df23f8f2e2e872af121034a701e529bc129031237d79674b9023a4fc0855
Instruction Fuzzy Hash: EA0148B0902B5A7DE3008F5A8C85A52FEA8FF19354F00411B915C47941C7F5A864CBE5

Function 0063EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0063EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0063EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0063EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB75

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e7bcbe69185a566a3f73ca3275f6e2022f952a1d50c6319d53c1b83b078a41eb
Instruction ID: 987a3475941e45ba2ef043b20b84c67c68b0fda048ed26801c83befc66f0ffa4
Opcode Fuzzy Hash: e7bcbe69185a566a3f73ca3275f6e2022f952a1d50c6319d53c1b83b078a41eb
Instruction Fuzzy Hash: C2F01772240958BBE7216B63DC0EEFB7A7DEFCAB21F001158F642E119196E05A0186B9

Function 00627439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00627452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00627469
GetWindowDC.USER32(?), ref: 00627475
GetPixel.GDI32(00000000,?,?), ref: 00627484
ReleaseDC.USER32(?,00000000), ref: 00627496
GetSysColor.USER32(00000005), ref: 006274B0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 69031397ce57590d8598274237325a5018da82fe8151833d27034c64d796ad41
Instruction ID: 590ef8989ec7e4510aa886c4d25fec957174f811d8bad66391f0e2eef47353d9
Opcode Fuzzy Hash: 69031397ce57590d8598274237325a5018da82fe8151833d27034c64d796ad41
Instruction Fuzzy Hash: 7C018B31400A15EFDB106FA4EC08BFE7BB7FB04321F106060F956A21A0CB712E51AF51

Function 00631874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063187F
UnloadUserProfile.USERENV(?,?), ref: 0063188B
CloseHandle.KERNEL32(?), ref: 00631894
CloseHandle.KERNEL32(?), ref: 0063189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006318A5
HeapFree.KERNEL32(00000000), ref: 006318AC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8a5e4134cfad87f21309990825cf4c9edbc1241611e20ea6a3c659b707a722a0
Instruction ID: f61825a08f09d88ecb7019be31fc881faeebdf931320e37efa38cd8c3fd4e12d
Opcode Fuzzy Hash: 8a5e4134cfad87f21309990825cf4c9edbc1241611e20ea6a3c659b707a722a0
Instruction Fuzzy Hash: 89E0C936004901BBDB016BA3ED0C915FF2AFB4A7327109221F26591170CBB26420DB60

Function 005DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005DBEB3

Strings

D%j, xrefs: 005DBCA2
D%jD%j, xrefs: 005DBCA5
D%j, xrefs: 005DBDED, 005DBD91, 005DBD1B
D%j, xrefs: 005DBE9A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%j$D%j$D%j$D%jD%j
API String ID: 1385522511-528900389
Opcode ID: 637d596d62a2451f4b5496fdac43cf5b23189fd5cb93438537ee70192ea54dfc
Instruction ID: 69a5d6cf529ae3bd485d22c71cf7926fc7b30085faf162ab29ff1b04e04fa43e
Opcode Fuzzy Hash: 637d596d62a2451f4b5496fdac43cf5b23189fd5cb93438537ee70192ea54dfc
Instruction Fuzzy Hash: 92911775A0020ACFDB28DF5DC0906A9BBF3FF59310B26456BD945AB351E731AD81CB90

Function 00657B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 005F0242: EnterCriticalSection.KERNEL32(006A070C,006A1884,?,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F024D
Part of subcall function 005F0242: LeaveCriticalSection.KERNEL32(006A070C,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F028A

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9

__Init_thread_footer.LIBCMT ref: 00657BFB

Part of subcall function 005F01F8: EnterCriticalSection.KERNEL32(006A070C,?,?,005E8747,006A2514), ref: 005F0202
Part of subcall function 005F01F8: LeaveCriticalSection.KERNEL32(006A070C,?,005E8747,006A2514), ref: 005F0235

Strings

5, xrefs: 00657C78
+Tb, xrefs: 00657E2E
Variable must be of type 'Object'., xrefs: 00657C3A
G, xrefs: 00657C7F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tb$5$G$Variable must be of type 'Object'.
API String ID: 535116098-488681553
Opcode ID: 0377764d3f325d1f13618804e215ebbf8d288f724b51d20559f90d0d92f288d8
Instruction ID: aa168381c03c60cb0d985ebdc6af8bba65b7f077f53f593f347e8de908b2812c
Opcode Fuzzy Hash: 0377764d3f325d1f13618804e215ebbf8d288f724b51d20559f90d0d92f288d8
Instruction Fuzzy Hash: BA918C70A04209AFCB14EF58E8959BDBBB2FF45301F14815AFC469B392DB31AE49CB51

Function 0063C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0063C6EE
_wcslen.LIBCMT ref: 0063C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0063C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0063C7CA

Strings

0, xrefs: 0063C6AF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 69f1925b349fa57962e7d70352b9dba06cab0502cd1a2454effac9c69176e6b4
Instruction ID: 7b11a5e892e8b8189a66e676545004fe4ff6cbe4493d41e64a457122862f1ef9
Opcode Fuzzy Hash: 69f1925b349fa57962e7d70352b9dba06cab0502cd1a2454effac9c69176e6b4
Instruction Fuzzy Hash: B251B3716043419BD7149F28C849BAB7BEAAF8A324F04092DF995F72A1DB70DD04CF92

Function 0065AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0065AEA3

Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625

GetProcessId.KERNEL32(00000000), ref: 0065AF38
CloseHandle.KERNEL32(00000000), ref: 0065AF67

Strings

@, xrefs: 0065AE72
<, xrefs: 0065AE6B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6d304db814481ec2be68a6237763e87df615a45fada6ba88da68153320557a37
Instruction ID: 4ab3708f8091e626381e0fe7b866976f782af359715d120c7db90fdc304d7039
Opcode Fuzzy Hash: 6d304db814481ec2be68a6237763e87df615a45fada6ba88da68153320557a37
Instruction Fuzzy Hash: CB71AD70A0021ACFCB14DF98D485A9EBBF1FF48310F04859AE856AB362D770ED45CB91

Function 0063719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00637206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0063723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0063724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006372CF

Strings

DllGetClassObject, xrefs: 00637242

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2e4bef65a2ab5111ef00406a8c8f80736308c823dbcdcc4dc4d9abaaa0a4efda
Instruction ID: 2f586b0a76aca5312e9778fe5b2aab64a409e1b2554d97ee410ebf7314a8aafa
Opcode Fuzzy Hash: 2e4bef65a2ab5111ef00406a8c8f80736308c823dbcdcc4dc4d9abaaa0a4efda
Instruction Fuzzy Hash: 354141B1A04605EFDB25CF54C884A9B7BAAEF45310F1580ADFD059F20AD7B1DA45CBE0

Function 00663D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00663E35
IsMenu.USER32(?), ref: 00663E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00663E92
DrawMenuBar.USER32 ref: 00663EA5

Strings

0, xrefs: 00663D89

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 3432175ff0f4bf81f1b09087f27efaefd3a0b76c1013aed0b1a9eeb29ca08ec0
Instruction ID: 1b8adac94f2b39599bb55b9dcfe44a6b1f50dca4efb51b84186ab997bf01baf7
Opcode Fuzzy Hash: 3432175ff0f4bf81f1b09087f27efaefd3a0b76c1013aed0b1a9eeb29ca08ec0
Instruction Fuzzy Hash: B0414575A01219AFDB10DF60D884AEABBFAFF49360F04412AF905AB350D735AE55CF60

Function 00631DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00631E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00631E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00631EA9

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

Strings

ComboBox, xrefs: 00631DF0
ListBox, xrefs: 00631E25

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: aad1e2920d45e195097e7edf70f6ce51e51ebd9e9fd71768d4bb04ef50c707b9
Instruction ID: 59ebba6ff881ce499df912e31cce021846b41e54486be83d3fd681aad2e5fc2a
Opcode Fuzzy Hash: aad1e2920d45e195097e7edf70f6ce51e51ebd9e9fd71768d4bb04ef50c707b9
Instruction Fuzzy Hash: 7F212971A00105BEDB14AB64DC49CFFBBBAEF86360F10411AF825AB2E1DB754D069760

Function 0065C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0065C9F1
_wcslen.LIBCMT ref: 0065CA68
_wcslen.LIBCMT ref: 0065CA9E
_wcslen.LIBCMT ref: 0065CAF9
_wcslen.LIBCMT ref: 0065CB2F
_wcslen.LIBCMT ref: 0065CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0065CA62, 0065CA67
HKLM, xrefs: 0065CA98, 0065CA9D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 6df2d504d62f24a6e3699067d66ac318bb89ab36fca0967fb9cdc1e9486b02e1
Instruction ID: 488221853eaee1ef1b69016cf50e91d4d760c7b2c134d9d2bbf2b0028a39f729
Opcode Fuzzy Hash: 6df2d504d62f24a6e3699067d66ac318bb89ab36fca0967fb9cdc1e9486b02e1
Instruction Fuzzy Hash: 5331D572A0026A4FCB20DF2CD9505FF3F93ABA1762F15402AEC45AB345E671CE48D7A0

Function 00662F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00662F8D
LoadLibraryW.KERNEL32(?), ref: 00662F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00662FA9
DestroyWindow.USER32(?), ref: 00662FB1

Strings

SysAnimate32, xrefs: 00662F68

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f160767ccfa18ce314b8349344f4c32ed1cdada456cf5433d571034164b388d0
Instruction ID: 74e732dd7b6fea0754544e95c1c0f09693c7fbd487267474523f9e0525802f4e
Opcode Fuzzy Hash: f160767ccfa18ce314b8349344f4c32ed1cdada456cf5433d571034164b388d0
Instruction Fuzzy Hash: 3421F0B1240A06ABEF104FA4DCA0EBB37BEEF59364F104219F950D6290D7B1DC419760

Function 005F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005F4D1E,006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002), ref: 005F4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005F4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,005F4D1E,006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000), ref: 005F4DC3

Strings

mscoree.dll, xrefs: 005F4D86
CorExitProcess, xrefs: 005F4D98

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0247b5035893bc9082b1dc415441b9fd31287eb9700651c3642bc8e9706ea581
Instruction ID: bbd22735b5631576fcbea26af3e4d7a69969a60ba0bdf3851b03eccc01e382d4
Opcode Fuzzy Hash: 0247b5035893bc9082b1dc415441b9fd31287eb9700651c3642bc8e9706ea581
Instruction Fuzzy Hash: 8CF0AF30A0020CBBDB149F94DC09BBEBFBAEF44722F0000A9F909E2260CB745940CF90

Function 005D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D4EAE
FreeLibrary.KERNEL32(00000000,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EC0

Strings

kernel32.dll, xrefs: 005D4E94
Wow64DisableWow64FsRedirection, xrefs: 005D4EA8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b3c42348219ffd65059208f62835aeb9bee0d66b8a530c153bcf97857e7442a8
Instruction ID: 72284425e2ddc3c6536ac95d9e43e3a361feb02cd7dd646ddcf1677c8731421e
Opcode Fuzzy Hash: b3c42348219ffd65059208f62835aeb9bee0d66b8a530c153bcf97857e7442a8
Instruction Fuzzy Hash: 7DE08635A019226BD3311729AC18A7BAA5DFF82B7270A0117FC40D2300DBB0CD0544A1

Function 005D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D4E74
FreeLibrary.KERNEL32(00000000,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E87

Strings

kernel32.dll, xrefs: 005D4E5B
Wow64RevertWow64FsRedirection, xrefs: 005D4E6E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: db2a63f40f286d111ae02fb1eef10da7dd24847aa6b9a5dcdf99db1d76b6723e
Instruction ID: 2f1a99bb74f9a028b965f0d9ef2706a5c9ff2e83e78ed631ff8337f741123793
Opcode Fuzzy Hash: db2a63f40f286d111ae02fb1eef10da7dd24847aa6b9a5dcdf99db1d76b6723e
Instruction Fuzzy Hash: A4D01235502E7167DB321B29AC18DABAF1EFFC6B713060617F945A2214CFB0CD0189D2

Function 00642947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642C05
DeleteFileW.KERNEL32(?), ref: 00642C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00642C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642CC0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c253c5e984694a7569c6f8cb952b01bca31a74356e606020ad9f358b0e8f0d63
Instruction ID: e923ec9d9936429de03cc282c9dcfaecb72f35fb7ec676fec69b1678ee6b1cf5
Opcode Fuzzy Hash: c253c5e984694a7569c6f8cb952b01bca31a74356e606020ad9f358b0e8f0d63
Instruction Fuzzy Hash: 8FB16171D0011EABDF25DBA4CC99EEE7B7EEF48354F5040A6F609E6241EA309A448F61

Function 0065A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0065A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0065A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0065A468
CloseHandle.KERNEL32(?), ref: 0065A63D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1603c7859138a9615b8068bccf8cd56bbbbe08dd82617b6503ac48c672a7829e
Instruction ID: fc8e90df49893e20ff1b8d3456d53c3293360ea1aed867ebd6ef00189baef4d6
Opcode Fuzzy Hash: 1603c7859138a9615b8068bccf8cd56bbbbe08dd82617b6503ac48c672a7829e
Instruction Fuzzy Hash: C4A180716043029FD720DF18C885B6ABBE6AF84714F14891DF9999B3D2D7B0EC45CB51

Function 0063E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0063CF22,?), ref: 0063DDFD

Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0063CF22,?), ref: 0063DE16

Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A

lstrcmpiW.KERNEL32(?,?), ref: 0063E473
MoveFileW.KERNEL32(?,?), ref: 0063E4AC
_wcslen.LIBCMT ref: 0063E5EB
_wcslen.LIBCMT ref: 0063E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0063E650

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2278173a58fbff88c00a8fcee2c47c53c658ff236056a73059d56cf458ca0739
Instruction ID: a55a551998a605c81b68eb8d4718b6d84337c9d9473687f2af9d45927a6fb93e
Opcode Fuzzy Hash: 2278173a58fbff88c00a8fcee2c47c53c658ff236056a73059d56cf458ca0739
Instruction Fuzzy Hash: BE51C5B24083455BC724DB90DC859EF77DDAF84300F00091EF689D3192EF75A58887AA

Function 0065B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0065BB63
RegCloseKey.ADVAPI32(?,?), ref: 0065BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0065BBB3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d07cb4822262e53d463e37fbfd10c108e1876d555a3c81376dbf74aea4781f52
Instruction ID: da35d82b0460b75acbb10950e8d5ba51d7928900fb75fbac6365f22338bf70d0
Opcode Fuzzy Hash: d07cb4822262e53d463e37fbfd10c108e1876d555a3c81376dbf74aea4781f52
Instruction Fuzzy Hash: 8D61B031208242AFD314DF14C494E6ABBE6FF84318F14955DF8998B3A2DB71ED49CB92

Function 00638BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00638BCD
VariantClear.OLEAUT32 ref: 00638C3E
VariantClear.OLEAUT32 ref: 00638C9D
VariantClear.OLEAUT32(?), ref: 00638D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00638D3B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: d0bf2db6c4c18240826a6999e824fa6a6913201f551f2fa9c180fd51721f69fe
Instruction ID: dedfed6754a5979168a74064d0075ff2839d2efe078d474640897da3bb65d57e
Opcode Fuzzy Hash: d0bf2db6c4c18240826a6999e824fa6a6913201f551f2fa9c180fd51721f69fe
Instruction Fuzzy Hash: 405136B5A00619AFCB14CF68C894AAAB7F9FF89310F158559F905DB350EB30E911CBA0

Function 00648AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00648BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00648BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00648C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00648C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00648C5F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 90c4a020a0dc096b3cbb242c9bab59e725e90a55132450f65a97345f3906da25
Instruction ID: 7adcdba04cf82268f04b39bd60f56620f20d4b93f02e3ef433408a219063e19a
Opcode Fuzzy Hash: 90c4a020a0dc096b3cbb242c9bab59e725e90a55132450f65a97345f3906da25
Instruction Fuzzy Hash: 88515F35A002199FCB14DF65C884AADBBF6FF48314F08805AE849AB362DB31ED41CB91

Function 00658EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00658F40
GetProcAddress.KERNEL32(00000000,?), ref: 00658FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00658FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00659032
FreeLibrary.KERNEL32(00000000), ref: 00659052

Part of subcall function 005EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00641043,?,753CE610), ref: 005EF6E6
Part of subcall function 005EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0062FA64,00000000,00000000,?,?,00641043,?,753CE610,?,0062FA64), ref: 005EF70D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3e2e332795522f4f9d496444892963e07d394c8984cd753cf02cb594d1508dff
Instruction ID: a9bc2b3c26635eb7ea41b42f0951e60a5ee56f62f5d9ed3ec04eee09fb4e4ec9
Opcode Fuzzy Hash: 3e2e332795522f4f9d496444892963e07d394c8984cd753cf02cb594d1508dff
Instruction Fuzzy Hash: C2513C35600206DFC715DF58C4948ADBBB2FF89325F05809AE845AB762DB31ED8ACF91

Function 00666B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00666C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00666C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00666C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0064AB79,00000000,00000000), ref: 00666C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00666CC7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e1dd12fb7c0fd102e8e6c196118750fc66536d9265fc274fbe5b547af298bec9
Instruction ID: c06cd98c614292af5253cf916d3ef9f74262638e7629fb3ddbbaed3783f9b74b
Opcode Fuzzy Hash: e1dd12fb7c0fd102e8e6c196118750fc66536d9265fc274fbe5b547af298bec9
Instruction Fuzzy Hash: 3041B435604504AFDB24DF28DC58FFA7FAAEB0A360F150269F895A73E0C371AD51CA90

Function 00602051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006020C3
_free.LIBCMT ref: 006020E3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7a4729bc28fbade243fa1b7caae614bddbf1b4226137c1897e0572ae99b5e430
Instruction ID: ee715d8c7bcc5e371e03231c8bbb8b319c4fd1f7ec9620ee49353d7fb15d37e8
Opcode Fuzzy Hash: 7a4729bc28fbade243fa1b7caae614bddbf1b4226137c1897e0572ae99b5e430
Instruction Fuzzy Hash: 9A41E632A403019FCB28DF78C894A9EB7B6EF89314F1545A9E615EB391DA31AD01CB80

Function 005E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005E9141
ScreenToClient.USER32(00000000,?), ref: 005E915E
GetAsyncKeyState.USER32(00000001), ref: 005E9183
GetAsyncKeyState.USER32(00000002), ref: 005E919D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8472659fa6a8bc3bce704a774992b712f72d606d59d9125654cd838167b7c05d
Instruction ID: 471503d285b6772bbd02fdd6c324b19f78d3ae90830ffe4bb566e44a857284b8
Opcode Fuzzy Hash: 8472659fa6a8bc3bce704a774992b712f72d606d59d9125654cd838167b7c05d
Instruction Fuzzy Hash: 3C41707190891BFBDF099F65D848BEEBB75FF45324F248219E469A3290C7305960CF91

Function 00643874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00643922
TranslateMessage.USER32(?), ref: 0064394B
DispatchMessageW.USER32(?), ref: 00643955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00643966

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d443fe160682bc3f8bde592a4943e9e496e72bda2905e2eacc56c384cbfa66ab
Instruction ID: d3edcf035987d0f1f7f0a1f87aecc6083898837291757ac9c168013471c58f57
Opcode Fuzzy Hash: d443fe160682bc3f8bde592a4943e9e496e72bda2905e2eacc56c384cbfa66ab
Instruction Fuzzy Hash: 1A31C8709043669EEB25DB349848BF677ABAB06304F04055DD4A2863A0F3F4A685CF11

Function 0064CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0064CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFF2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 70b407f577d8e1faefd04b3457f000661bb35dfeffccc256743db5ad1f848f96
Instruction ID: 6892af04e642290540eb3d244fabca7b82d2d5246c5f8c0a05cc74b45b30b010
Opcode Fuzzy Hash: 70b407f577d8e1faefd04b3457f000661bb35dfeffccc256743db5ad1f848f96
Instruction Fuzzy Hash: 91317C71601605EFDBA4DFA5C884AABBBFAEF14320B10442EF546D2301DB34AE45DB60

Function 00631901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00631915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006319E2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 21d3418361c7f15dd6832e738755a4dc92918e25d3a547ac8bc270fce67db6fd
Instruction ID: b71a29a15e065c03ded6b51f5aeb36199f0244286082531a13eb7ae96b40a130
Opcode Fuzzy Hash: 21d3418361c7f15dd6832e738755a4dc92918e25d3a547ac8bc270fce67db6fd
Instruction Fuzzy Hash: 1F31C271900219EFCB04CFA8CD99BEE7BB6EB45325F104229F961EB2D1C7B09954DB90

Function 00665706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00665745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0066579D
_wcslen.LIBCMT ref: 006657AF
_wcslen.LIBCMT ref: 006657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00665816

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: aa28f0b840b33132a9f6678c5a167e13b937a3e5b26d680d29651847fdd96002
Instruction ID: c6cf3dfe9260e05c490ca0398d6ffd371114c2bfc3b348631c2ef02bae4ee7c5
Opcode Fuzzy Hash: aa28f0b840b33132a9f6678c5a167e13b937a3e5b26d680d29651847fdd96002
Instruction Fuzzy Hash: 8A21D871904619DADB209F60CC86AEE7BBAFF44724F108256F92AEB2C0D7749985CF50

Function 00650930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00650951
GetForegroundWindow.USER32 ref: 00650968
GetDC.USER32(00000000), ref: 006509A4
GetPixel.GDI32(00000000,?,00000003), ref: 006509B0
ReleaseDC.USER32(00000000,00000003), ref: 006509E8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0ea1e90ebf6bfabf14000e2989313fc823f9c234ce65668d6d027ac3337dd96a
Instruction ID: 053bf697926f3b7c142dd0d4f8f9d98aa9fffb1f9d04bf92db2b44d00d88c690
Opcode Fuzzy Hash: 0ea1e90ebf6bfabf14000e2989313fc823f9c234ce65668d6d027ac3337dd96a
Instruction Fuzzy Hash: 4A218135600604AFE714EF69D888AAEBBE6FF45711F04806DE84AD7352DB70EC44CB90

Function 0060CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0060CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0060CDE9

Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0060CE0F
_free.LIBCMT ref: 0060CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0060CE31

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: db226ce47d7fc03b66bbb47f0fcf4bb15832a23d76bdebedafc0e6c4c50fb1a0
Instruction ID: 268e94e048c69eb7e2ec69ea1f04439176a57648288cbc8a3ab56c24bb3a0ae1
Opcode Fuzzy Hash: db226ce47d7fc03b66bbb47f0fcf4bb15832a23d76bdebedafc0e6c4c50fb1a0
Instruction Fuzzy Hash: 9301B5726416157FE32517BAAC4CC7B696FDFC6BB13150229FD05D6380DA608D0191B0

Function 005E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
SelectObject.GDI32(?,00000000), ref: 005E96A2
BeginPath.GDI32(?), ref: 005E96B9
SelectObject.GDI32(?,00000000), ref: 005E96E2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 016577b0f7bd5894375485bb8d991d0a29af9a7679d6fdbc1e557770c9dd6dfc
Instruction ID: 1bdea61754c26b336252c0f7bbaf1abd3de955b35def1a8866a74805586bf55f
Opcode Fuzzy Hash: 016577b0f7bd5894375485bb8d991d0a29af9a7679d6fdbc1e557770c9dd6dfc
Instruction Fuzzy Hash: AC218330801385EBDB11AF65EC147EA7F66BB43365F101217F4909A1B0D3706991CF94

Function 00635711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00635726
_memcmp.LIBVCRUNTIME ref: 00635744
_memcmp.LIBVCRUNTIME ref: 00635757
_memcmp.LIBVCRUNTIME ref: 0063576F
_memcmp.LIBVCRUNTIME ref: 00635787

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d0d5bbb334e59dc7abe243707262d3588bc3195510bf557b01ea5506973c2b8f
Instruction ID: c27a76d7ae4e15d1a942633398af53d925dc6fc57f477dd7e2876830e8e73b19
Opcode Fuzzy Hash: d0d5bbb334e59dc7abe243707262d3588bc3195510bf557b01ea5506973c2b8f
Instruction Fuzzy Hash: CE01B561645A0AFBD2085610AD82FFB736FAB71394F414420FE069B281F764ED11C2E5

Function 00602DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6), ref: 00602DFD
_free.LIBCMT ref: 00602E32
_free.LIBCMT ref: 00602E59
SetLastError.KERNEL32(00000000,005D1129), ref: 00602E66
SetLastError.KERNEL32(00000000,005D1129), ref: 00602E6F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1596afe3c7c25deafbfadf1dcd7c6b78ca1f47bcf8742ee083584efdfb0e0112
Instruction ID: 5a3bf441b151e3b4b303bc2d7322360b02ffb5ad8ae4d37e43130a6c8aa6deef
Opcode Fuzzy Hash: 1596afe3c7c25deafbfadf1dcd7c6b78ca1f47bcf8742ee083584efdfb0e0112
Instruction Fuzzy Hash: D301F4362C5A0267C71A3735ACADD6B265FAFD17B5B21042DF965A23E2EF608C014124

Function 0063000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?,?,0063035E), ref: 0063002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?), ref: 00630064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630070

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 23aafc679a53d053e0da4cf3d34f2820e3119b44c3ee03562a5ece636140a71f
Instruction ID: c9d602c31deaa4cd0437d9bf09a819b06e661b626f8497759a9441fbd566ff24
Opcode Fuzzy Hash: 23aafc679a53d053e0da4cf3d34f2820e3119b44c3ee03562a5ece636140a71f
Instruction Fuzzy Hash: 61018B72600618BFEB245F68DC44BAA7EAFEB447A2F149128F945D3210E7B5DD448BE0

Function 0063E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0063E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0063E9A5
Sleep.KERNEL32(00000000), ref: 0063E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0063E9B7
Sleep.KERNEL32 ref: 0063E9F3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6e75462a1994288ef64d39899b8e1f040beff9492093b5bf5c2385d972c5a4d7
Instruction ID: d4de55aeab07ec2d2811854dd5331b6df8f042268eb14a5e92a2559792e6849f
Opcode Fuzzy Hash: 6e75462a1994288ef64d39899b8e1f040beff9492093b5bf5c2385d972c5a4d7
Instruction Fuzzy Hash: B0015B31C01929DBCF00ABE4DC596EDBBBABB09311F000546E542B2280CB75965287A1

Function 006310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9bc3778b834324713a5e95101fe0410792e656c6d9ae0c057eeb6b05503bbd79
Instruction ID: a1ceec18a0659ac9dbae80482ab0b5a4fff31aa154ba769b6e71ef00b43bf378
Opcode Fuzzy Hash: 9bc3778b834324713a5e95101fe0410792e656c6d9ae0c057eeb6b05503bbd79
Instruction Fuzzy Hash: 00011975200605BFDB114FA5DC49AAA3F6FEF8A3A0B204419FA85D7360DA72DC009AA0

Function 00630FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00630FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00630FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00630FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00630FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00631002

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2b559ef4c45ecba9f5bd50009bfcb987e52ae4c000f85ad7ba89d3d6aee9bd78
Instruction ID: 7e608253892b8b9ef80b627d3e4eeeb99541316b78a185a5035e1c7329ade96b
Opcode Fuzzy Hash: 2b559ef4c45ecba9f5bd50009bfcb987e52ae4c000f85ad7ba89d3d6aee9bd78
Instruction Fuzzy Hash: 7DF04F35100701BBD7214FA5DC49FA63B6EEF8A761F105414F985DA251CAB1DC408A60

Function 00631014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0063102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00631036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0063104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631062

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b647df0c4f572436bae5949653be69c4fbcc75a3bf0bccd63a07782b3b202ff5
Instruction ID: dddd22675b1bd879d20e333ee0a9c3319aeca6e3305c7581c6c915a98a4a6c88
Opcode Fuzzy Hash: b647df0c4f572436bae5949653be69c4fbcc75a3bf0bccd63a07782b3b202ff5
Instruction Fuzzy Hash: D8F04F35200705BBD7215FA5EC59FA63B6EEF8A761F101414F985DA250CAB1D8808A60

Function 0064030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640324
CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640331
CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 0064033E
CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 0064034B
CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640358
CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640365

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 59bef1dddc637853fd2abfbaea283881a32b4d93fc45100a70713a5154292ff8
Instruction ID: 49dc10c82273be8be8e7356d83af3ee1148b72e9f2b88e09040ee61f1d4f6dfa
Opcode Fuzzy Hash: 59bef1dddc637853fd2abfbaea283881a32b4d93fc45100a70713a5154292ff8
Instruction Fuzzy Hash: DB01A276800B269FD7319F66D890452FBF6BF503153158A3FD29652A31C3B1A954CF80

Function 0060D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0060D752

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

_free.LIBCMT ref: 0060D764
_free.LIBCMT ref: 0060D776
_free.LIBCMT ref: 0060D788
_free.LIBCMT ref: 0060D79A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a2a11a5f2f9827429a4c1f35d8194e5c1155f73d939b9617729bc6a1ec1f4b4
Instruction ID: 05ab167edcf3497fc886b38034afa4059867717ec6e29bebfd27b37465990094
Opcode Fuzzy Hash: 2a2a11a5f2f9827429a4c1f35d8194e5c1155f73d939b9617729bc6a1ec1f4b4
Instruction Fuzzy Hash: B9F0FF32584205ABC669EBA9F9D5C5B7BDFBF447207A41D0AF048E7A81C720FC8086A4

Function 00635C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00635C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00635C6F
MessageBeep.USER32(00000000), ref: 00635C87
KillTimer.USER32(?,0000040A), ref: 00635CA3
EndDialog.USER32(?,00000001), ref: 00635CBD

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7b6e41a8e7fd6b97227d848f1a5c12021d0948b4e7c0f9c7dbd90cff4b2e39ff
Instruction ID: 95d3e755d365576dfc50604e9937251157e9b8e1a81d8373352930f09ffb6f9d
Opcode Fuzzy Hash: 7b6e41a8e7fd6b97227d848f1a5c12021d0948b4e7c0f9c7dbd90cff4b2e39ff
Instruction Fuzzy Hash: 0A018630500B04ABEB205B14DD4EFE67BBABB00B05F04255EE583A25E1DBF4A985CA95

Function 006022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006022BE

Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0

_free.LIBCMT ref: 006022D0
_free.LIBCMT ref: 006022E3
_free.LIBCMT ref: 006022F4
_free.LIBCMT ref: 00602305

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5cb6df4e494ee653b26aeb48f7dca00c07ba00b8137d955c845033c299fab7ec
Instruction ID: a85780b849411a168e9204d63e1f53a4b9656e4efb63f4ac64eefae43dbf628e
Opcode Fuzzy Hash: 5cb6df4e494ee653b26aeb48f7dca00c07ba00b8137d955c845033c299fab7ec
Instruction Fuzzy Hash: AAF030744901118FCB56BF65BC1595A3F6BBF1BB60B50290BF410D72F1C7306A519FA8

Function 005E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005E95D4
StrokeAndFillPath.GDI32(?,?,006271F7,00000000,?,?,?), ref: 005E95F0
SelectObject.GDI32(?,00000000), ref: 005E9603
DeleteObject.GDI32 ref: 005E9616
StrokePath.GDI32(?), ref: 005E9631

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3725ac777fc06b0552b2f9d4c42c935fc4103861c7d716434e0f0ef6839fa5cb
Instruction ID: 03df4aacfc50f14486d9076dcaa75d034fbfb4c981e2bb3111b73457793e2496
Opcode Fuzzy Hash: 3725ac777fc06b0552b2f9d4c42c935fc4103861c7d716434e0f0ef6839fa5cb
Instruction Fuzzy Hash: 0EF03C30005648EBDB166F66ED1C7763F62BB03372F04A215F4A5590F0C7719995DF60

Function 00600F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006010F9
__freea.LIBCMT ref: 00601117

Part of subcall function 00601537: _free.LIBCMT ref: 0060154F

Strings

am/pm, xrefs: 0060117A
a/p, xrefs: 006011DE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6fae9175de25deadc1985b062e9205aff4635f5785a80bf038460e6ae472fef5
Instruction ID: 28756b4388023eb09a5c907d0db8563f1b10d61d59028b128ddcdcb832a305f6
Opcode Fuzzy Hash: 6fae9175de25deadc1985b062e9205aff4635f5785a80bf038460e6ae472fef5
Instruction Fuzzy Hash: A5D1BD31980206DADB2C9F68C895AFBB7B6EF07300F28415AE9419F7D0D6759E81CB91

Function 006561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 005F0242: EnterCriticalSection.KERNEL32(006A070C,006A1884,?,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F024D
Part of subcall function 005F0242: LeaveCriticalSection.KERNEL32(006A070C,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F028A

Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9

__Init_thread_footer.LIBCMT ref: 00656238

Part of subcall function 005F01F8: EnterCriticalSection.KERNEL32(006A070C,?,?,005E8747,006A2514), ref: 005F0202
Part of subcall function 005F01F8: LeaveCriticalSection.KERNEL32(006A070C,?,005E8747,006A2514), ref: 005F0235

Part of subcall function 0064359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006435E4
Part of subcall function 0064359C: LoadStringW.USER32(006A2390,?,00000FFF,?), ref: 0064360A

Strings

x#j, xrefs: 00656353
x#j, xrefs: 0065636F
x#j, xrefs: 0065633A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#j$x#j$x#j
API String ID: 1072379062-3560744321
Opcode ID: fa9c7fa81480e99e027dace812c4ec6ebdfed943610c8a1505cf0d2612f0da23
Instruction ID: dcfea21cd3f899911ea7f88ff861d8df842fd9c9eb0d9f99aa97e122d433a0c2
Opcode Fuzzy Hash: fa9c7fa81480e99e027dace812c4ec6ebdfed943610c8a1505cf0d2612f0da23
Instruction Fuzzy Hash: 2CC15C71A00106ABCB14DF58C895EBEBBBAFF49300F54806AF9559B391DB70ED49CB90

Function 00605AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO], xrefs: 00605BA8, 00605C6C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: JO]
API String ID: 0-3765940103
Opcode ID: 5541e94367b20924d37bef0053b5f561889ee93b16767cfa8810d6486d2a109b
Instruction ID: f2e1d0329876f839b2f73def01402b5162ebecb92f999d089e60f11c903dc5b6
Opcode Fuzzy Hash: 5541e94367b20924d37bef0053b5f561889ee93b16767cfa8810d6486d2a109b
Instruction Fuzzy Hash: 6551EE7598060A9FDF29AFA4C849AFFBFBAAF45314F14001AE402A72D1D7759901CF61

Function 00608A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00608B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00608B7A
__dosmaperr.LIBCMT ref: 00608B81

Strings

._, xrefs: 00608A63

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ._
API String ID: 2434981716-1383207595
Opcode ID: c593f07f2b443e9fff84eef48ab7fbf0809afb5e39204a5368131a49a5dada0a
Instruction ID: 9ed32caa1fa4001788c02024e33bc3bb64fe9bb079577ecd043efd00a830cd8d
Opcode Fuzzy Hash: c593f07f2b443e9fff84eef48ab7fbf0809afb5e39204a5368131a49a5dada0a
Instruction Fuzzy Hash: A1415B70644155AFDB28DF24CC80ABF7FA7DB86314B2841A9F8C597692DF318C038B90

Function 00632716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006321D0,?,?,00000034,00000800,?,00000034), ref: 0063B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00632760

Part of subcall function 0063B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0063B3F8

Part of subcall function 0063B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0063B355
Part of subcall function 0063B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00632194,00000034,?,?,00001004,00000000,00000000), ref: 0063B365
Part of subcall function 0063B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00632194,00000034,?,?,00001004,00000000,00000000), ref: 0063B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0063281A

Strings

@, xrefs: 00632832

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 97c426f32fb26edd6c8d789df498d52e1a6eb370a318295c5ec99d4a7f0d0743
Instruction ID: 2819f319e8fbcaa4c19fc2ba6ab796abc70b5016f5c841b521aeeb2643668446
Opcode Fuzzy Hash: 97c426f32fb26edd6c8d789df498d52e1a6eb370a318295c5ec99d4a7f0d0743
Instruction Fuzzy Hash: 30416D72900229BFDB10DFA4CC55AEEBBB9EF09300F105099FA55B7281DB706E45CBA0

Function 0060172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00601769
_free.LIBCMT ref: 00601834
_free.LIBCMT ref: 0060183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00601760, 00601767, 00601796, 006017CE

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: bde434e478a1d9399ceb54f6a54cf10b2adbfc6d534eccee854d592460fce6c7
Instruction ID: 69e1ecb40d24d274b18bc7b3fc3e94b0a7f2351a5bb653cfec80a1aa3a313962
Opcode Fuzzy Hash: bde434e478a1d9399ceb54f6a54cf10b2adbfc6d534eccee854d592460fce6c7
Instruction Fuzzy Hash: 97317E75A80218ABDB25DF999885DDFBBBEEF86310F10416AE4049B291D6B09F40CB90

Function 0063C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0063C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0063C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006A1990,018E57B8), ref: 0063C395

Strings

0, xrefs: 0063C2DF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 621ac0ffd47e81cab52213e80b9fdefc4902e2ad60116f326ec3f91bc960ae3a
Instruction ID: ae433856271ba1b3141a7a3ec919f2ac94ac90e5e7b8343c3e9de553d51f3edb
Opcode Fuzzy Hash: 621ac0ffd47e81cab52213e80b9fdefc4902e2ad60116f326ec3f91bc960ae3a
Instruction Fuzzy Hash: A041B1712043019FE720DF24D884B6ABBE6AF85320F048A1EF9A5A73D1D770E904CB92

Function 00664416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0066CC08,00000000,?,?,?,?), ref: 006644AA
GetWindowLongW.USER32 ref: 006644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006644D7

Strings

SysTreeView32, xrefs: 0066447C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 31bc9587b0f8738a1a2a9b548f177e6e17cf9a6d95afa651500949e716fbfc28
Instruction ID: ed4d93406e56cec89521553109a8f79afcde986c28b3684376b0e793266bf4e7
Opcode Fuzzy Hash: 31bc9587b0f8738a1a2a9b548f177e6e17cf9a6d95afa651500949e716fbfc28
Instruction Fuzzy Hash: 5831AD31210606AFDF219E38DC46BEA7BAAEB49334F204315F975922E0DB70EC519B50

Function 00636E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00636EED
VariantCopyInd.OLEAUT32(?,?), ref: 00636F08
VariantClear.OLEAUT32(?), ref: 00636F12

Strings

*jc, xrefs: 00636E8B, 00636E90, 00636EF8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jc
API String ID: 2173805711-2167581163
Opcode ID: b08feb1c77388872e553a28fe962dce4019719eefc4e4c5b32dbdb182f9ab259
Instruction ID: 3d08214f1d402fddd94579194d56eb1b796409a3bfc9ef8b57998f04b9b54f51
Opcode Fuzzy Hash: b08feb1c77388872e553a28fe962dce4019719eefc4e4c5b32dbdb182f9ab259
Instruction Fuzzy Hash: 1C316B71604256EBCB14AF69E8549BD3BB7BF84300F10449AF8064B3B1DB309912DBE4

Function 0065304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0065335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00653077,?,?), ref: 00653378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0065307A
_wcslen.LIBCMT ref: 0065309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00653106

Strings

255.255.255.255, xrefs: 00653095, 0065309A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 034fba77fc26f1ad7d27b49d345bed7b276775a97960245f769bdcb8a13a7f1a
Instruction ID: e08e358eaf7582bd8daa9a9b63662d11a046acada5e116fb98c005932119ea48
Opcode Fuzzy Hash: 034fba77fc26f1ad7d27b49d345bed7b276775a97960245f769bdcb8a13a7f1a
Instruction Fuzzy Hash: A331D5352003169FCB20CF28C585EAA7BE2EF55799F248059ED158B392D771DE49C760

Function 00663EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00663F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00663F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00663F78

Strings

SysMonthCal32, xrefs: 00663F0B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2a3c1a0bcb5f3592c22971b71402e885ab5dab69d500291d0400300e98316fab
Instruction ID: 521cc4553791d03b2b609028de9f9f1895cf9f2fdef7a324a48b16a8ea6ee87c
Opcode Fuzzy Hash: 2a3c1a0bcb5f3592c22971b71402e885ab5dab69d500291d0400300e98316fab
Instruction Fuzzy Hash: 4721D332600229BFDF119F50CC46FEA3B7AEF49724F110215FA156B2D0D6B5AD50CBA0

Function 00664653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00664705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00664713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0066471A

Strings

msctls_updown32, xrefs: 00664684

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 95983865a3651246773ed67ba2315ac4b58e88ebb822482c2701c2fc09a7ef1f
Instruction ID: ac189be1f2de8611236c43111f3b2e1e63d0f38909651b5e1578e7408773a84a
Opcode Fuzzy Hash: 95983865a3651246773ed67ba2315ac4b58e88ebb822482c2701c2fc09a7ef1f
Instruction Fuzzy Hash: B22131B5600209AFDB10DF64DC95DB73BAEEB5B3A4B040159F6009B351DB71EC51CA60

Function 006395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0063961D

Strings

#requireadmin, xrefs: 006395D9
#OnAutoItStartRegister, xrefs: 006395F3
#notrayicon, xrefs: 006395B7

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 842f5027d71eb3dc2d82ca3407c63d61bdfe5ace8f10ad7a22a54add5fa254a9
Instruction ID: bcbe3b0203dd5f10092c0caf51a2f40ab16a11ff7e0956836be968a842012c62
Opcode Fuzzy Hash: 842f5027d71eb3dc2d82ca3407c63d61bdfe5ace8f10ad7a22a54add5fa254a9
Instruction Fuzzy Hash: 61218E3210461566D331AB289C07FF777DEEF95310F004026FA4997242EBD59D81CAF1

Function 006637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00663840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00663850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00663876

Strings

Listbox, xrefs: 0066380F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 923be3badf113f537f33bba79ac63243e8c75acdecf2c8c6fc833e39561c51af
Instruction ID: f5fa7221b60bf3bfab919aa228370797f753c148b708f3990df146e805d978ea
Opcode Fuzzy Hash: 923be3badf113f537f33bba79ac63243e8c75acdecf2c8c6fc833e39561c51af
Instruction Fuzzy Hash: EC21B072610228BBEF219F54CC45EFB3B6FEF89760F108118F9009B290C6B1EC5287A0

Function 006449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00644A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00644A5C
SetErrorMode.KERNEL32(00000000,?,?,0066CC08), ref: 00644AD0

Strings

%lu, xrefs: 00644A6F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f4e82aafa17f6a49a92310c8eba3e0c9c8220ad2bc33d308f52b973a9cfefcf9
Instruction ID: db0309c6a12a295d1786e3ff7bebab404594a2b6ceca3562a71d4eb4200e2f0b
Opcode Fuzzy Hash: f4e82aafa17f6a49a92310c8eba3e0c9c8220ad2bc33d308f52b973a9cfefcf9
Instruction Fuzzy Hash: 9E317371A00109AFDB10DF54C885EAA7BF9EF49314F148099F905DB362DB71ED45CB61

Function 006641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0066424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00664264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00664271

Strings

msctls_trackbar32, xrefs: 00664226

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bbb37590366e489cd710bcc70b8547aaa968c2618bd778b9d536122686db6a88
Instruction ID: bb510d9014428bcd25e55fbbb31afb5edd482da30db4252ec4dee303c9b022e0
Opcode Fuzzy Hash: bbb37590366e489cd710bcc70b8547aaa968c2618bd778b9d536122686db6a88
Instruction Fuzzy Hash: 9811E331240208BEEF205F28CC46FEB7BAEEF86B64F110114FA55E6190D6B1D8519B14

Function 00632F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

Part of subcall function 00632DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00632DC5
Part of subcall function 00632DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00632DD6
Part of subcall function 00632DA7: GetCurrentThreadId.KERNEL32 ref: 00632DDD
Part of subcall function 00632DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00632DE4

GetFocus.USER32 ref: 00632F78

Part of subcall function 00632DEE: GetParent.USER32(00000000), ref: 00632DF9

GetClassNameW.USER32(?,?,00000100), ref: 00632FC3
EnumChildWindows.USER32(?,0063303B), ref: 00632FEB

Strings

%s%d, xrefs: 00632FFF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 93be9bd2a0d3dee65eed0409c1e9b33c61455bbe2c30f1d445b3f4c7186d8d7e
Instruction ID: 237c6cd422f88425945eed17331324ee0575ac389b48a711a3a9e2df1e4e7e8f
Opcode Fuzzy Hash: 93be9bd2a0d3dee65eed0409c1e9b33c61455bbe2c30f1d445b3f4c7186d8d7e
Instruction Fuzzy Hash: 6011D271600206ABDF547F64CC99EED376BAF84314F04507AF909DB292DF7099068BB0

Function 00665882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006658EE
DrawMenuBar.USER32(?), ref: 006658FD

Strings

0, xrefs: 0066588F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 82e34014d5ce4357a3e960fd9b4b61169c76cf6cac7dcf09d09ff98ff7bd1be5
Instruction ID: 48b12d0bf5354f7b2638765953d9a493941084192d57da6539fe2c530d0847dd
Opcode Fuzzy Hash: 82e34014d5ce4357a3e960fd9b4b61169c76cf6cac7dcf09d09ff98ff7bd1be5
Instruction Fuzzy Hash: 6701A131500248EFDB109F11DC45BAEBBBAFB45360F00809AE88AD6251DF309A90DF30

Function 0062D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0062D3BF
FreeLibrary.KERNEL32 ref: 0062D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0062D3B9
X64, xrefs: 0062D2A8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8ed14fad56e7569e07a669eedde9537001c6bffb3c9f7808b6fcd85a6789a1ff
Instruction ID: 90ac8aefb888c372905e91e8bc56e22f2c319d1a92334f33c867cbb6ef1164eb
Opcode Fuzzy Hash: 8ed14fad56e7569e07a669eedde9537001c6bffb3c9f7808b6fcd85a6789a1ff
Instruction Fuzzy Hash: A7F05532802E30DBD7319A10EC18AF97B27AF13701B68C415E982E6244EB60CE408ED2

Function 0063007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3690f45a3f6a59bf97c0e98726a24066bd76bd81c7ee0f069cc946462c26248
Instruction ID: eb165dee108bf5066740417c521e670546ccfb6c87d190b71e07bd4363d00bd6
Opcode Fuzzy Hash: c3690f45a3f6a59bf97c0e98726a24066bd76bd81c7ee0f069cc946462c26248
Instruction Fuzzy Hash: 03C14D75A00216EFEB14CFA4C8A4EAEB7B6FF48714F208598E505EB251D731DE45CB90

Function 0065342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00653459
CoUninitialize.OLE32 ref: 00653463
VariantInit.OLEAUT32(?), ref: 0065346E
VariantClear.OLEAUT32(?), ref: 0065371B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e93153414926819ca5915a7d48468a7c181a2636f8c634c313af8b1dcb31fc1f
Instruction ID: e92017805ed9d8c95a0508d5e4beec968854c37b25e3e28478ed0389c5a24d3a
Opcode Fuzzy Hash: e93153414926819ca5915a7d48468a7c181a2636f8c634c313af8b1dcb31fc1f
Instruction Fuzzy Hash: 6AA14A756042119FC710DF28C485A2ABBE6FF88755F04895EFD899B362EB30ED05CB92

Function 00630436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0066FC08,?), ref: 006305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0066FC08,?), ref: 00630608
CLSIDFromProgID.OLE32(?,?,00000000,0066CC40,000000FF,?,00000000,00000800,00000000,?,0066FC08,?), ref: 0063062D
_memcmp.LIBVCRUNTIME ref: 0063064E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 29da5f275ec782b3942f526b75ba2ba0502b521b9f113fb0f4084e1357412620
Instruction ID: 022304b2366de04fdb78115ccfb1923c76fb43b36981ded7a877c7ecce3916b4
Opcode Fuzzy Hash: 29da5f275ec782b3942f526b75ba2ba0502b521b9f113fb0f4084e1357412620
Instruction Fuzzy Hash: AD811071A00109EFDB04DF94C994DEEB7BAFF89315F104599E506AB250DB71AE0ACBA0

Function 0065A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0065A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0065A6BA

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0065A79C
CloseHandle.KERNEL32(00000000), ref: 0065A7AB

Part of subcall function 005ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00613303,?), ref: 005ECE8A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fa717abca4a436c3e2875a3a1b733f5b7d6f1640f55aa4419baa42df509aa043
Instruction ID: 0257dd6760120d17d827509b0547a8d57a953c2232dbbc19c21c919960f19597
Opcode Fuzzy Hash: fa717abca4a436c3e2875a3a1b733f5b7d6f1640f55aa4419baa42df509aa043
Instruction Fuzzy Hash: EF5149715083019FD710EF28C88AA6BBBE9FFC9754F00891EF98597291EB70D904CB92

Function 00611391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006114C0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 56e32ca72041bf1a35c9b414ac46a6943609a09458e511141cbc2143c946579a
Instruction ID: c65f95dbaf4077fc7383e84239e33073caad7411ac835d12dd06832732c1dfbc
Opcode Fuzzy Hash: 56e32ca72041bf1a35c9b414ac46a6943609a09458e511141cbc2143c946579a
Instruction Fuzzy Hash: 9C414935600505ABDB256FB98C496FF3EE7FF43B70F1C4229F619DA292E63448815362

Function 00666278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006662E2
ScreenToClient.USER32(?,?), ref: 00666315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00666382

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4a04a9633751a2808054807c2b607d15d3f0fb15fe51f7561e8e1c4a89bca591
Instruction ID: 1826d1b682411900899bd9151f786c0615b5b549c1f7895bdb83e438c34c2673
Opcode Fuzzy Hash: 4a04a9633751a2808054807c2b607d15d3f0fb15fe51f7561e8e1c4a89bca591
Instruction Fuzzy Hash: 37510A74A00249EFDB10DF58E8809AE7BB6EF85364F10915AF855AB390D770AD81CB90

Function 00651AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00651AFD
WSAGetLastError.WSOCK32 ref: 00651B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00651B8A
WSAGetLastError.WSOCK32 ref: 00651B94

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f1466b7206b6622a4986f5650e5f1993f3d41bd276f9b8634466d4d7f9fb6e0b
Instruction ID: 114d8bc8e2fabb3a630027303e99995466d1ac18fbcd46d041bd609849a5be39
Opcode Fuzzy Hash: f1466b7206b6622a4986f5650e5f1993f3d41bd276f9b8634466d4d7f9fb6e0b
Instruction Fuzzy Hash: 9641A434600201AFE720AF24C88AF657BE6EB85718F548459F95A9F3D3D7B2DD42CB90

Function 0060B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869e4901fa37922f656839ccfdd99ea7944430044095a67eb27cf15532d509ff
Instruction ID: 520088067bd3ca8d513427bae123c4d6dbaea9097a50466834509d82c2204d66
Opcode Fuzzy Hash: 869e4901fa37922f656839ccfdd99ea7944430044095a67eb27cf15532d509ff
Instruction Fuzzy Hash: E7412875A40304AFD7299F78CC45BABBBEAEF88710F10856EF141DB6D1D3719A418780

Function 006456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00645783
GetLastError.KERNEL32(?,00000000), ref: 006457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006457FA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d2447c6acfb6cd158743bc83463bd2d6f338ede56038a4c574afad90e9fdf67c
Instruction ID: 441a09c1df57d81a03954dc9c5dc81a2015e8950dcd49942b1aeb7cc5ab4171b
Opcode Fuzzy Hash: d2447c6acfb6cd158743bc83463bd2d6f338ede56038a4c574afad90e9fdf67c
Instruction Fuzzy Hash: 46411C35600A11DFCB21DF19C444A59BBE2FF89720F19848AEC4AAB362DB31FD00CB91

Function 0060D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,005F6D71,00000000,00000000,005F82D9,?,005F82D9,?,00000001,005F6D71,?,00000001,005F82D9,005F82D9), ref: 0060D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0060D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0060D9AB
__freea.LIBCMT ref: 0060D9B4

Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: cc02757bb849c4f7a6b613512ab4d5c9154971800ec6f0dd60c0098be7276fc8
Instruction ID: 2253ae2a2baa030ddcaba798387e5233c67ac5ac09aab7e55165084ffbcd6815
Opcode Fuzzy Hash: cc02757bb849c4f7a6b613512ab4d5c9154971800ec6f0dd60c0098be7276fc8
Instruction Fuzzy Hash: 1331AE72A0020AABDB299FA4DC45EEF7BA6EB41320F054268FC04D6290EB35CD50CB90

Function 006652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00665352
GetWindowLongW.USER32(?,000000F0), ref: 00665375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00665382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006653A8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 1bccff81583792652c89661212df047d01a9c19cf74646fca9d5df901c4e21b0
Instruction ID: 28e6335c8979a3ff6761347d878398f8d7a71f40e8e5805da7f7d7d308c63a08
Opcode Fuzzy Hash: 1bccff81583792652c89661212df047d01a9c19cf74646fca9d5df901c4e21b0
Instruction Fuzzy Hash: 9231B434A55A08EFEF309F14CC17BE93767AB05B90F545102FA52A63E1E7B0A9409B82

Function 0063AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0063ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0063AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0063AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0063ACC6

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4f5decd169a09a9ad54e11a1175eb8d1cb3e7b8062ac089fd5179ffe1bfab784
Instruction ID: 104aa2ec079e6b54c0280e67cb115284205f86e395e00a440f4b6d7a877ed5e4
Opcode Fuzzy Hash: 4f5decd169a09a9ad54e11a1175eb8d1cb3e7b8062ac089fd5179ffe1bfab784
Instruction Fuzzy Hash: F2310830A046186FEF35CBA5CC087FA7BA7AB85320F04631AE4C5962D1C3758D85A7D6

Function 00667674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0066769A
GetWindowRect.USER32(?,?), ref: 00667710
PtInRect.USER32(?,?,00668B89), ref: 00667720
MessageBeep.USER32(00000000), ref: 0066778C

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6bd2a53278a7fb6c4c95f8c559d85f8f1f694be0087f16ffbe0a24027575d330
Instruction ID: 67f37bec90999187c50112ebb785a7dda750694bb5ec039d64a6506353523a3f
Opcode Fuzzy Hash: 6bd2a53278a7fb6c4c95f8c559d85f8f1f694be0087f16ffbe0a24027575d330
Instruction Fuzzy Hash: DE418D34605214EFDB01DF58D894EA9BBF6FB4A318F1980A9E415DF361D730A942CF90

Function 006616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006616EB

Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65

GetCaretPos.USER32(?), ref: 006616FF
ClientToScreen.USER32(00000000,?), ref: 0066174C
GetForegroundWindow.USER32 ref: 00661752

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 903a67bab29f8165b742f44ef9b78b811f95a3efcd730397afd138bc228eede1
Instruction ID: 90c8ed0d10d844ffebb3700ed13b12d0be7fd836768610f0f7400eb83838e2ae
Opcode Fuzzy Hash: 903a67bab29f8165b742f44ef9b78b811f95a3efcd730397afd138bc228eede1
Instruction Fuzzy Hash: F1313071D00149AFC710DFA9C885CEEBBF9FF89304B5480AAE455E7311E6319E45CBA0

Function 00668FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

GetCursorPos.USER32(?), ref: 00669001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00627711,?,?,?,?,?), ref: 00669016
GetCursorPos.USER32(?), ref: 0066905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00627711,?,?,?), ref: 00669094

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6c694971bf317519ef65c82f32d5537f461b7e546d10d8e25e1914216b8a48f0
Instruction ID: 8f37337941dacb4c8d0b31e89acf6c5bad0b3d4296a55de096bdbbe4a1c928c6
Opcode Fuzzy Hash: 6c694971bf317519ef65c82f32d5537f461b7e546d10d8e25e1914216b8a48f0
Instruction Fuzzy Hash: 6B219C35601018FFCF299F94CC58EFA7BBBEB8A360F144069F9458B261C371A990DB60

Function 0063D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0066CB68), ref: 0063D2FB
GetLastError.KERNEL32 ref: 0063D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0063D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0066CB68), ref: 0063D376

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b153f85daf6262d6741f4657a74ffbd1b2e2d83fcb44d55a874617f5d42dcc2a
Instruction ID: 224e890e63d52a1a69980855332715b5307c3c9e14803956bf4b848df476342c
Opcode Fuzzy Hash: b153f85daf6262d6741f4657a74ffbd1b2e2d83fcb44d55a874617f5d42dcc2a
Instruction Fuzzy Hash: B6217E705096019FD310DF28E8854AA7BE9EE96724F104A1EF499C33A1DB319E4ACB93

Function 00631571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00631014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0063102A
Part of subcall function 00631014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00631036
Part of subcall function 00631014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631045
Part of subcall function 00631014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0063104C
Part of subcall function 00631014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006315BE
_memcmp.LIBVCRUNTIME ref: 006315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00631617
HeapFree.KERNEL32(00000000), ref: 0063161E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2796a7357525ba345e636d3830c35274cad38a692e63a791b1547f3595c0f21a
Instruction ID: 96204692e3f4af073c6ffc5fb50372c63f833942bcc05a508376401c59e41bbb
Opcode Fuzzy Hash: 2796a7357525ba345e636d3830c35274cad38a692e63a791b1547f3595c0f21a
Instruction Fuzzy Hash: 3A21AF71E00509EFDF00DFA5C945BEEB7BAEF46354F084469E441AB241E770AE05DBA0

Function 00662782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0066280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00662824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00662832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00662840

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b0b069560c1199767e95b7356a701a80a6653e17b830057a4c498f4d03c4645c
Instruction ID: c1ddd6d2500b34f8e78b10f03763a69c7fe56eaf1529cfbba1ff9d12db188d09
Opcode Fuzzy Hash: b0b069560c1199767e95b7356a701a80a6653e17b830057a4c498f4d03c4645c
Instruction Fuzzy Hash: EE219031205912AFD7149B24CC55FAA7B9AAF85324F14815DF4668B7E2C7B1EC42C7D0

Function 006378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00638D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?), ref: 00638D8C
Part of subcall function 00638D7D: lstrcpyW.KERNEL32(00000000,?,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00638DB2
Part of subcall function 00638D7D: lstrcmpiW.KERNEL32(00000000,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?), ref: 00638DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637923
lstrcpyW.KERNEL32(00000000,?,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637984

Strings

cdecl, xrefs: 0063797B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8b725cf91b54ada494249529c5628ed86703ea2ee8908a5db3e7af6f9523b137
Instruction ID: c86099e4df867f3ee99863c95f0d737302f7296e6f2843e2512c9f51e4e34e40
Opcode Fuzzy Hash: 8b725cf91b54ada494249529c5628ed86703ea2ee8908a5db3e7af6f9523b137
Instruction Fuzzy Hash: 0A11E17A200342AFCB259F35C844EBA77AAFF85350B00412AF842CB3A4EB719801C7A1

Function 00667CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00667D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00667D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00667D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0064B7AD,00000000), ref: 00667D6B

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c1f60ff1c998f549fca43310f798f2494a539de30cbd65f930fab64766a2a800
Instruction ID: 0ab557c8dc2b56ff6e62165ed1b9075f6820345bc726e435c0932fcbf0854906
Opcode Fuzzy Hash: c1f60ff1c998f549fca43310f798f2494a539de30cbd65f930fab64766a2a800
Instruction Fuzzy Hash: 66117231605655AFCB109F28CC04ABA3BAAAF46374F155B24F835DB2F0E731AD51DB50

Function 00665660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006656BB
_wcslen.LIBCMT ref: 006656CD
_wcslen.LIBCMT ref: 006656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00665816

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0b733de439959ccf5d07868e1f4b956e1371c9de7540bb4fcaad09cdf8fe0318
Instruction ID: 01a13377cd78ab56c2eb3a521988e13a926187eded50c33770d6d3b0c03ceaf6
Opcode Fuzzy Hash: 0b733de439959ccf5d07868e1f4b956e1371c9de7540bb4fcaad09cdf8fe0318
Instruction Fuzzy Hash: 0711037160060996DF209F61CC86AFE3BADFF11764F10416AF926D6181EBB4DA80CF60

Function 00601D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba5e66bc7ce0957321c79aa150b6de9fb02ed9137fdc9e7dfcd7ae0533906e2
Instruction ID: e8612ba032b55a0743e0064b10270e91d42b4f2da4a8b636a7379edb75d25426
Opcode Fuzzy Hash: 1ba5e66bc7ce0957321c79aa150b6de9fb02ed9137fdc9e7dfcd7ae0533906e2
Instruction Fuzzy Hash: CF01D6B2289A163FF76526B86CC0F67661FDF837B8F30132AF521652D2EB608C005174

Function 00631A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00631A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A8A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea0f1f6237a0611c982f7f5b04e1a6bfd26629404d174fa3c7447ad4bc317a6e
Instruction ID: 34bcedf4cef8becfeb87ced2b23071ca0d14978d27c9ed74bfe4373126f306b2
Opcode Fuzzy Hash: ea0f1f6237a0611c982f7f5b04e1a6bfd26629404d174fa3c7447ad4bc317a6e
Instruction Fuzzy Hash: 1F11393AD01219FFEB10DBA4CD85FADBB79EB09750F200092EA00BB290D6716E50DB94

Function 0063E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0063E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0063E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0063E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0063E24D

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 61dcd61879f9405c0b890c43dd9cbdf6b0bad36be9c139ebb8a50b92d577dbec
Instruction ID: 9a1ede1cd43702f1e43a020b3a11dfc7d7d42e7a5908099855e4bb03e5c19e66
Opcode Fuzzy Hash: 61dcd61879f9405c0b890c43dd9cbdf6b0bad36be9c139ebb8a50b92d577dbec
Instruction Fuzzy Hash: E8110876904654BBCB01AFA89C19AEF7FAFAB46320F004215F914E33D0D6B19A008BF0

Function 005FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,005FCFF9,00000000,00000004,00000000), ref: 005FD218
GetLastError.KERNEL32 ref: 005FD224
__dosmaperr.LIBCMT ref: 005FD22B
ResumeThread.KERNEL32(00000000), ref: 005FD249

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7695b8a3936d2455dd218a77530ec16c95a1d6eecd9125d8afc97db19ea8f581
Instruction ID: 047098645dbc3e973ae615aad68e057bbb3f01540e932bef9f638cc53e5068b9
Opcode Fuzzy Hash: 7695b8a3936d2455dd218a77530ec16c95a1d6eecd9125d8afc97db19ea8f581
Instruction Fuzzy Hash: EA01803A80560DBBDB116BA5DC09ABB7E7AFF82731F104219FA25961D0DBB58901C6B0

Function 00669EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2

GetClientRect.USER32(?,?), ref: 00669F31
GetCursorPos.USER32(?), ref: 00669F3B
ScreenToClient.USER32(?,?), ref: 00669F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00669F7A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 10598426be244e6699f155fce0c4d3a726bbab9e73c8331f954948a809d0fd56
Instruction ID: f17a59d9d4bb1812eb4370b44ba54ddef069f2533bacc9a4e672e74eb5088660
Opcode Fuzzy Hash: 10598426be244e6699f155fce0c4d3a726bbab9e73c8331f954948a809d0fd56
Instruction Fuzzy Hash: 4B11573690051AABDB00EFA9C8899FE7BBEFB46321F014455F942E7140D770BA91CBB5

Function 005D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
GetStockObject.GDI32(00000011), ref: 005D6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1f8009845728019f687f2190abcc8ba25a1931967092ce1e6a0107a795ca4b65
Instruction ID: 4f9db831795deb15ce2aabeecd303313076910738766a085426d5b6561f112bf
Opcode Fuzzy Hash: 1f8009845728019f687f2190abcc8ba25a1931967092ce1e6a0107a795ca4b65
Instruction Fuzzy Hash: A9118E72101508BFEF225F98CC58AEABF6AFF09364F040107FA1452110C7729C61DB91

Function 005F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 005F3B56

Part of subcall function 005F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005F3AD2
Part of subcall function 005F3AA3: ___AdjustPointer.LIBCMT ref: 005F3AED

_UnwindNestedFrames.LIBCMT ref: 005F3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005F3B7C
CallCatchBlock.LIBVCRUNTIME ref: 005F3BA4

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2e8e7f6edcbb35a034975a3fce74a2296d3d26c3300556e946aa06c036ddff1d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5201C53210014EBBEF125E95CC4AEEB7F6AFF98754F044015FA4866121C63AE9619BA0

Function 00603073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005D13C6,00000000,00000000,?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue), ref: 006030A5
GetLastError.KERNEL32(?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue,00672290,FlsSetValue,00000000,00000364,?,00602E46), ref: 006030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue,00672290,FlsSetValue,00000000), ref: 006030BF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5e9badd64de266b9acae1c648eec28b7d95cbcab445b2cef9f1da4ad8619df9d
Instruction ID: 5e85198d93f989791ce62eb5246cec1f97c53c744346cf1e61e2a5405c62dacc
Opcode Fuzzy Hash: 5e9badd64de266b9acae1c648eec28b7d95cbcab445b2cef9f1da4ad8619df9d
Instruction Fuzzy Hash: 9A01F732392732ABCB354B799C449A77B9EAF05B72B104621F947E73C0D721DA02C6E0

Function 00637464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0063747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00637497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006374CA

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2e2ff4718e7d88dc5df3053aeeac34754bb0836c7a68febb35b87a11d7b3fb83
Instruction ID: 785a15b7e73cb4094919614026cf489c16ba3f32c543ab3b9850caf44d8f9231
Opcode Fuzzy Hash: 2e2ff4718e7d88dc5df3053aeeac34754bb0836c7a68febb35b87a11d7b3fb83
Instruction Fuzzy Hash: CC11A1F12057149BE730CF54EC08BA27BFEEB00B10F108569E656D6152D7B0F904DB90

Function 0063B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B126

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9798e215e27d5cbf3aefaeebe3a01d38fcbebf301dd469c50244b129051baa19
Instruction ID: fc639010470c4e08c0334ce0fd4f0d0ba4e5681b48e7b9b58c9986f709f3d313
Opcode Fuzzy Hash: 9798e215e27d5cbf3aefaeebe3a01d38fcbebf301dd469c50244b129051baa19
Instruction Fuzzy Hash: 4211A130C0091DD7CF04AFE4E9586FEBF79FF0A310F005085DA81B6245CB7055508B91

Function 00667E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00667E33
ScreenToClient.USER32(?,?), ref: 00667E4B
ScreenToClient.USER32(?,?), ref: 00667E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00667E8A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0acbe48516708aae563572cc9cc631d1705110ae812ee0e81a8a40eb0e75d383
Instruction ID: 7fb0a3d4f29fb6404fe2a18104fee38dd828b1e5e6dcbb4785ab4a5af805a7f2
Opcode Fuzzy Hash: 0acbe48516708aae563572cc9cc631d1705110ae812ee0e81a8a40eb0e75d383
Instruction Fuzzy Hash: 5E1183B9D0020AAFDB41CF98C884AEEBBF9FF08310F509066E951E3210D775AA54CF90

Function 00632DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00632DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00632DD6
GetCurrentThreadId.KERNEL32 ref: 00632DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00632DE4

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 09326d93d4fea2454aa2a91ad71edc359f36d6993a5630d7864c7dab3bf08f25
Instruction ID: 33dd2fb42d4b6a75bd1ca6b05174d9083e81c17f964e0b21d632d08e106aca6d
Opcode Fuzzy Hash: 09326d93d4fea2454aa2a91ad71edc359f36d6993a5630d7864c7dab3bf08f25
Instruction Fuzzy Hash: 6EE06D71101A247ADB202B63DC0DEFB7E6EEF42BB1F001015F106D10809AE19841D6F0

Function 00668863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96A2
Part of subcall function 005E9639: BeginPath.GDI32(?), ref: 005E96B9
Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00668887
LineTo.GDI32(?,?,?), ref: 00668894
EndPath.GDI32(?), ref: 006688A4
StrokePath.GDI32(?), ref: 006688B2

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0a1b10da62eb212acf73720382b4ff200cd683c3373c7bbc4e7acdbd7189ab5c
Instruction ID: 32a2bef9fbc4a3c98e301e1901cfa415da6f9bcecc5deedc3efea6ccf5344ace
Opcode Fuzzy Hash: 0a1b10da62eb212acf73720382b4ff200cd683c3373c7bbc4e7acdbd7189ab5c
Instruction Fuzzy Hash: DEF05E36041659FADB126F94AC0DFDE3F5AAF0A320F048100FA51661E1C7B55511CFE5

Function 005E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005E98CC
SetTextColor.GDI32(?,?), ref: 005E98D6
SetBkMode.GDI32(?,00000001), ref: 005E98E9
GetStockObject.GDI32(00000005), ref: 005E98F1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9c5f453bfcb43e1e0d8872b698df8577ca8b7b3a666cc9f6d9afedb2f5b7d445
Instruction ID: 8d2af7892eb1b3765c0781f5782f2ef160d8a259e7b75cb1d088376722bac863
Opcode Fuzzy Hash: 9c5f453bfcb43e1e0d8872b698df8577ca8b7b3a666cc9f6d9afedb2f5b7d445
Instruction Fuzzy Hash: E0E06531244A80AADB215F78BC09BE97F52AB12335F049219F6FA940E1C7B146509F11

Function 0063162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00631634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006311D9), ref: 0063163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006311D9), ref: 00631648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006311D9), ref: 0063164F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 70088db9da140307b3913abb5a8c67aadc4738c28fbb4ebbb7a88c3cbe3b57bc
Instruction ID: 2c84387f51d553a0066eea0fa63cb323439a27f3966dc19dc8e1c9e576c1f133
Opcode Fuzzy Hash: 70088db9da140307b3913abb5a8c67aadc4738c28fbb4ebbb7a88c3cbe3b57bc
Instruction Fuzzy Hash: C5E08631601611EBD7201FE19D0DFA63B7EAF467A1F144808F685DD080D6B54440C790

Function 0062D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0062D858
GetDC.USER32(00000000), ref: 0062D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0062D882
ReleaseDC.USER32(?), ref: 0062D8A3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5db9c0863c413274801ee1d3dcffe49e1c6745b7ff7af1d29a8de39d5482cabf
Instruction ID: 493ab8c2829fd371b0b018db4f1264ec927950bfe8f9e0e973ac5fe37712d6c9
Opcode Fuzzy Hash: 5db9c0863c413274801ee1d3dcffe49e1c6745b7ff7af1d29a8de39d5482cabf
Instruction Fuzzy Hash: 9FE01AB5800605EFCB419FA0D80C67DBFB2FB08320F14A40AE88AE7350C7B95901AF54

Function 0062D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0062D86C
GetDC.USER32(00000000), ref: 0062D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0062D882
ReleaseDC.USER32(?), ref: 0062D8A3

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9578bec4d519ceec8593cb8befc588b06d41212ab12e8d504976de680d586778
Instruction ID: 82f60a94e3acb8b4015d633d24d56356f8516aacfa7097f33516ff7620f9e7d8
Opcode Fuzzy Hash: 9578bec4d519ceec8593cb8befc588b06d41212ab12e8d504976de680d586778
Instruction Fuzzy Hash: D9E012B0800601EFCB50AFA0D80C66DBFB2FB08320B14A40AE88AE7350CBB95901AF54

Function 00644D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00644ED4

Strings

*, xrefs: 00644E10
LPT, xrefs: 00644DFB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2bcf5f55ce189f15a88008ec55ff5c12968e518664359752969ad3e196a09aff
Instruction ID: 94ed937bf255bcffbc256496a4c4f069278a567468cd52a5b3c85054b57553a5
Opcode Fuzzy Hash: 2bcf5f55ce189f15a88008ec55ff5c12968e518664359752969ad3e196a09aff
Instruction Fuzzy Hash: BE917275A002059FCB14DF58C485FA9BBF6BF88304F158099E80A9F362DB31ED85CB91

Function 005FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005FE30D

Strings

pow, xrefs: 005FE2E5, 005FE302

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b2809b64004147b40e563ecf8fcc3c7ef64470ab0a59e18c9640e4af2000c140
Instruction ID: 7a5e67792f688acf887fa66125a9f8b82a589b11bb5af4974b1f3f419e928cf1
Opcode Fuzzy Hash: b2809b64004147b40e563ecf8fcc3c7ef64470ab0a59e18c9640e4af2000c140
Instruction Fuzzy Hash: F8514B61E8D20696CB1D7718CD063BB2FA6BF40740F304D59E1D5463F9EB38ACD19A46

Function 00657771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0062569E,00000000,?,0066CC08,?,00000000,00000000), ref: 006578DD

Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A

CharUpperBuffW.USER32(0062569E,00000000,?,0066CC08,00000000,?,00000000,00000000), ref: 0065783B

Strings

<si, xrefs: 006577C8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <si
API String ID: 3544283678-3796645423
Opcode ID: 3f9c7bd1f64a94215c7894c43155ea7c85232d7901544d4a67bd6736130557ae
Instruction ID: ceaf47e95b89bfb1da9e955d901a60e33fdc9c317a97c337c96c8f5d3c74ee13
Opcode Fuzzy Hash: 3f9c7bd1f64a94215c7894c43155ea7c85232d7901544d4a67bd6736130557ae
Instruction Fuzzy Hash: 6D61707291411AABCF14EBA8DC95DFDBB79BF54301F440527F942A3291EF305A0ACBA0

Function 005EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 005EE1B1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dc802a5c427044f2d405d6869464020c1a58bc452300fa2bd9228256086602d5
Instruction ID: 727f899d93880361ad7efbd0a8002873808f73c8cea7a01d3345938fb525dbe5
Opcode Fuzzy Hash: dc802a5c427044f2d405d6869464020c1a58bc452300fa2bd9228256086602d5
Instruction Fuzzy Hash: 5A514639600296DFDB18DF68D4466FA7FAAFF55310F248066E8919B3C0D6359D42CBA0

Function 005EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005EF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 005EF2BB

Strings

@, xrefs: 005EF2AF

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bfb0cfaea92d07913273b7660ebbe0e5c8c53cabae7ef7895d8e0ffb918c2363
Instruction ID: 9a4f3355188a16a2f54b0e23b28dc2c050c0574c20b989200415dac7bb2d007f
Opcode Fuzzy Hash: bfb0cfaea92d07913273b7660ebbe0e5c8c53cabae7ef7895d8e0ffb918c2363
Instruction Fuzzy Hash: 90513B714087469BD320AF14DC8ABABBBF8FBC5300F81885EF1D941295EB709529CB66

Function 00655745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006557E0
_wcslen.LIBCMT ref: 006557EC

Strings

CALLARGARRAY, xrefs: 006557E6, 006557EB

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ec46d725ae0b0fe5c364053f94651ebb2621853bd17cf8f08e9083b5fd85f918
Instruction ID: 32165a254b4e75e64def41b3a04cd784408f040ac24938e882f6415dae9171d3
Opcode Fuzzy Hash: ec46d725ae0b0fe5c364053f94651ebb2621853bd17cf8f08e9083b5fd85f918
Instruction Fuzzy Hash: C741C431E002199FCB14DFA9C8999FEBBB6FF59321F10402AE806A7351E7719D85CB90

Function 0064D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0064D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0064D13A

Strings

|, xrefs: 0064D10B

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b10d033532b8712f380e3bc684a25ac8874f8f04cc90cc8831796236225333ca
Instruction ID: e803660c1f9dc4e57d100463858c6151cb071782d65e211e9667a53ad0a4bdd7
Opcode Fuzzy Hash: b10d033532b8712f380e3bc684a25ac8874f8f04cc90cc8831796236225333ca
Instruction Fuzzy Hash: AC312C75D0020AABCF15EFA4CC89AEF7FBAFF44300F00001AF915A6261D731AA06DB50

Function 0066356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00663621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0066365C

Strings

static, xrefs: 006635BC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 55c152a58cf6e4b0f704d0b9f352c7fc7d8d7a20cf3ec8a860fa2c52cd4133d2
Instruction ID: 9b65a9ce59b2b12fb17f06765436d136ee147960fa5d50c325eff8eaa9eafa0e
Opcode Fuzzy Hash: 55c152a58cf6e4b0f704d0b9f352c7fc7d8d7a20cf3ec8a860fa2c52cd4133d2
Instruction Fuzzy Hash: E4318D71100614AEDB209F78DC80EFB77AAFF89724F00961AF9A5D7390DA71AD81C760

Function 00664537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0066461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00664634

Strings

', xrefs: 0066458E

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 80804d2e1e7dd2726de9756b0761bc9595d2d32e022f5f195ab519e554411635
Instruction ID: 53b90f3539537b322ce169176998b3bbc42c4e812b32979a1f1c502f33b8fcd2
Opcode Fuzzy Hash: 80804d2e1e7dd2726de9756b0761bc9595d2d32e022f5f195ab519e554411635
Instruction Fuzzy Hash: 5E311874A0120A9FDF14CFA9C990BDA7BB6FF49340F14406AE905EB351DB70A941CF90

Function 006631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0066327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00663287

Strings

Combobox, xrefs: 00663249

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fe1cc8e53873b9b74c5756c91ffdd992c806ac3fb195192fa1c94940ec98058c
Instruction ID: 528b9868fcfce7d314f2f73caeecc6089c0fa47b43970ddcd1658cd380c8b7b4
Opcode Fuzzy Hash: fe1cc8e53873b9b74c5756c91ffdd992c806ac3fb195192fa1c94940ec98058c
Instruction Fuzzy Hash: F71190712002197FEF219F54DC94EFB3BAFEB953A4F104129F91897390D6719E518760

Function 00663710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
Part of subcall function 005D600E: GetStockObject.GDI32(00000011), ref: 005D6060
Part of subcall function 005D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A

GetWindowRect.USER32(00000000,?), ref: 0066377A
GetSysColor.USER32(00000012), ref: 00663794

Strings

static, xrefs: 00663757

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ea26ca10ba81232b2822a47f5ad7b4362d59a25e3d5220030056a64cbff5e68d
Instruction ID: d5652f840495f702c57034211704e83441a272fa8c78566370237e7d57e377e2
Opcode Fuzzy Hash: ea26ca10ba81232b2822a47f5ad7b4362d59a25e3d5220030056a64cbff5e68d
Instruction Fuzzy Hash: 2C1159B261021AAFDB00DFA8CC45AFA7BB9FB09314F004515F956E2250E775E8519B50

Function 0064CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0064CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0064CDA6

Strings

<local>, xrefs: 0064CD66

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 43c76cc4c269167d8268ab0b6acf6b821e3e364df6c67a0981bc4274b3754015
Instruction ID: 282a98c129ebad29eb54a8f9b9b47b21b1ac18219b9857fe095b7ea02152346d
Opcode Fuzzy Hash: 43c76cc4c269167d8268ab0b6acf6b821e3e364df6c67a0981bc4274b3754015
Instruction Fuzzy Hash: D0110271A06631BAD7785B66CC48EF3BEAEEF527B4F00422AB10983280D3709841D6F0

Function 00663429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006634BA

Strings

edit, xrefs: 0066348F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: be62c57fd83bc365cff49d8ea6c6e2749b40804156551a890137cd5e9b5d96cc
Instruction ID: 4badd019862002f64fc0c124d44a377c546a52059c042e8e3aed698d1a17fb76
Opcode Fuzzy Hash: be62c57fd83bc365cff49d8ea6c6e2749b40804156551a890137cd5e9b5d96cc
Instruction Fuzzy Hash: DC119D71100118ABEB114E64DC44AFA77ABEB05374F504324F961933E0CB71EC919B50

Function 00636C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00636CB6
_wcslen.LIBCMT ref: 00636CC2

Strings

STOP, xrefs: 00636CBC, 00636CC1

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 60827625fc5ce4d568006642b890c113afff7290c73968857254e25ac5c4ff2f
Instruction ID: 8992c3be68ae3c92b570fdcce7aa707b6141bad56d68b93a2485bdcf04312cce
Opcode Fuzzy Hash: 60827625fc5ce4d568006642b890c113afff7290c73968857254e25ac5c4ff2f
Instruction Fuzzy Hash: 4D010432600527AACB209FBDDC858FF77BAFFA1714F004529F85296291EA31D800C790

Function 00631CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00631D4C

Strings

ComboBox, xrefs: 00631CEB
ListBox, xrefs: 00631D16

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 98a40791f3adac534876ae486eacf7a8060250f89587386e1f3d5f9c7b5da397
Instruction ID: a067adede77f66fc6b691921df0ddac2a62ae0cca23b18c5b867ba0a24e596dd
Opcode Fuzzy Hash: 98a40791f3adac534876ae486eacf7a8060250f89587386e1f3d5f9c7b5da397
Instruction Fuzzy Hash: B701D471601229ABCB18EBA4DD55CFE77AAFF57350F04061BF8726B3D1EA30590987A0

Function 00631BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00631C46

Strings

ComboBox, xrefs: 00631BE5
ListBox, xrefs: 00631C10

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2c8b3cf22b8a5460721a1fca4293a21e6f0651b6f5e36d83ae8f81093af277ea
Instruction ID: 1961109c5bedb3dea7ea28458cec41e778ea51edee17408fb4c661109b179106
Opcode Fuzzy Hash: 2c8b3cf22b8a5460721a1fca4293a21e6f0651b6f5e36d83ae8f81093af277ea
Instruction Fuzzy Hash: CD01F77178010566CF14EBA4CA559FF77AAAB52340F10102BB40667381EA249E0887F1

Function 00631C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00631CC8

Strings

ComboBox, xrefs: 00631C69
ListBox, xrefs: 00631C94

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e9d358f3000c5afcfa897d15648ef5416b25712c8c2a8fdf00b7fcc311a95382
Instruction ID: 516e0aaf9cc7e1862db2cf410709ef169521a6159b253cc7cb801d10e11d935b
Opcode Fuzzy Hash: e9d358f3000c5afcfa897d15648ef5416b25712c8c2a8fdf00b7fcc311a95382
Instruction Fuzzy Hash: 4401D671B8011967CF14EBA4CA15AFE77AEAF12340F14101BB80277381EA649F09D6B2

Function 005EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005EA529

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Strings

,%j, xrefs: 005EA509
3yb, xrefs: 005EA545, 005EA54D, 005EA552

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%j$3yb
API String ID: 2551934079-1169086100
Opcode ID: 7c760608c29de3e5327003438b899d17a34b3a73c3e464a2ae7af045badacc57
Instruction ID: 163e2fdfe1d5de04a6a08b2b408b9388cfeeb92e0577b802fb2c22407e144afd
Opcode Fuzzy Hash: 7c760608c29de3e5327003438b899d17a34b3a73c3e464a2ae7af045badacc57
Instruction Fuzzy Hash: 8B014731B4066687CA18F77DE85FAAC3F55BB86710F441466F541172C3DE107D018A97

Function 00631D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD

Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00631DD3

Strings

ComboBox, xrefs: 00631D75
ListBox, xrefs: 00631DA0

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c432dda215c0aaa4e7625d57fa94b2ae3f156c00d4898038f17596e361725cca
Instruction ID: aa19f43ea1b76ee8fb22a607f17a21fbfa2f1e0c1fe2447765fc80a372078792
Opcode Fuzzy Hash: c432dda215c0aaa4e7625d57fa94b2ae3f156c00d4898038f17596e361725cca
Instruction Fuzzy Hash: C5F0F471B4021566CB14E7A8CC56AFE776DBF43750F04091AB822673C1DA60590886A0

Function 00668172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006A3018,006A305C), ref: 006681BF
CloseHandle.KERNEL32 ref: 006681D1

Strings

\0j, xrefs: 0066818A

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0j
API String ID: 3712363035-3905335411
Opcode ID: 5a2eff4a058567355ffa18e604622c7230494b1782fb29b85c49e41078b4948e
Instruction ID: 64e74cf36d77c5b293ca81b1626b7c7f7df2945441ad60e42fd7d0498ceeeb15
Opcode Fuzzy Hash: 5a2eff4a058567355ffa18e604622c7230494b1782fb29b85c49e41078b4948e
Instruction Fuzzy Hash: A5F054F1640314BEE3107B656C45FB77E5EEB06754F005421FB08D52A1D6799E008BB4

Function 0065747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00657493
_wcslen.LIBCMT ref: 006574B9

Strings

3, 3, 16, 1, xrefs: 00657483

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 249695010ce50864fcb3acae5970f5e486d1447f6c4a61c4cce53486b361105c
Instruction ID: af1e9f6c6461ea562d2edbbb0662c2093a052d1ed41dfab013f3552b604645ff
Opcode Fuzzy Hash: 249695010ce50864fcb3acae5970f5e486d1447f6c4a61c4cce53486b361105c
Instruction Fuzzy Hash: 36E02B023142211093311279FDC59BF5ACFDFC5752B14182FFE85C2366EAD88D9593A0

Function 00630B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00630B23

Strings

Error allocating memory., xrefs: 00630B1C
AutoIt, xrefs: 00630B17

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5dbb660261b0362f49d7bc0cdb26146583aceadfb3b183965ffa579264829115
Instruction ID: 8b9b753d83a1a5711c8873ef792abdfe3540a690aa058e97f43baaa83e83f993
Opcode Fuzzy Hash: 5dbb660261b0362f49d7bc0cdb26146583aceadfb3b183965ffa579264829115
Instruction Fuzzy Hash: 8FE0D83124474926D31437557C07F997E899F05B20F100427F7C8955C38ED2645007E9

Function 005F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005F0D71,?,?,?,005D100A), ref: 005EF7CE

IsDebuggerPresent.KERNEL32(?,?,?,005D100A), ref: 005F0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005D100A), ref: 005F0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005F0D7F

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 990600f77073500f70ab834aa79962b1c31000115910898e97a086a3885ffa64
Instruction ID: e03c2c46f0d8dc6b71d08411ae632ebbb66aa76ea423d81297cc3b7610f6bedf
Opcode Fuzzy Hash: 990600f77073500f70ab834aa79962b1c31000115910898e97a086a3885ffa64
Instruction Fuzzy Hash: C7E06D742007518BD7309FBCE4083667FE6BB04744F04992EE982C6692EBB6E4448B91

Function 005EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005EE3D5

Strings

8%j, xrefs: 005EE3CA
0%j, xrefs: 005EE3B5

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%j$8%j
API String ID: 1385522511-4048573861
Opcode ID: 2b218949b600adb177a07ac321b1717ad6f724781c7b95d1c915623ebe030ff8
Instruction ID: ff4221804de93a5cb59658d27f7acd750bae99986a337a5efbeac198952448c4
Opcode Fuzzy Hash: 2b218949b600adb177a07ac321b1717ad6f724781c7b95d1c915623ebe030ff8
Instruction Fuzzy Hash: 47E02635CA0956CBC70CBB1DF87AA98BB93BB4E320B102965E142875D29B343C418E54

Function 00643017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0064302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00643044

Strings

aut, xrefs: 00643038

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3f91d474bf3a1fd5f9eea40c334500c31d4fc57d925b7aefa84b9028a59c07dd
Instruction ID: c24454339bb40827f6aab72caeb39d105decb2c8b72e37f8d6b6eaddeb545e62
Opcode Fuzzy Hash: 3f91d474bf3a1fd5f9eea40c334500c31d4fc57d925b7aefa84b9028a59c07dd
Instruction Fuzzy Hash: 6BD05B7150031467DB209794DC0DFD73A6CD704760F000151BA95D2091DAF49644CAD0

Function 0062D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0062D220

Strings

%.3d, xrefs: 0062D22B
X64, xrefs: 0062D2A8

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e886ce776387450fb963685b7694386224ec380c92d5bf8df137de9bf28950a1
Instruction ID: bdd9836331a5055bd8946272a744a67592491019d08795661557d15a2432d020
Opcode Fuzzy Hash: e886ce776387450fb963685b7694386224ec380c92d5bf8df137de9bf28950a1
Instruction Fuzzy Hash: 6AD0127180A529E9CB5097E0EC498B9B77DBB18301F608452FE4691040E624C709AF61

Function 00662356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066236C
PostMessageW.USER32(00000000), ref: 00662373

Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3

Strings

Shell_TrayWnd, xrefs: 00662365

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b860539ec58df242b55be1acf29e49c25fcfe8e3249e717da82a6c3639850e78
Instruction ID: 473631f5830b7befdf90c23d1ff26fad91bdaa7d6fc83fe90b27dd9b90f0a77b
Opcode Fuzzy Hash: b860539ec58df242b55be1acf29e49c25fcfe8e3249e717da82a6c3639850e78
Instruction Fuzzy Hash: 6DD0C9323817507AEAA4B770EC0FFD66A1A9B04B20F015916B686EA1D0C9E0A8018A58

Function 00662322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0066233F

Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3

Strings

Shell_TrayWnd, xrefs: 00662325

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4cfa5f9f071c49f509e87e9e25ec398a85a15dc0ec411adce4b79ae29d81851d
Instruction ID: af32c21afc9ace9d2fc1eb65a6f68437cd72d7111c4486f496dceaad0123d765
Opcode Fuzzy Hash: 4cfa5f9f071c49f509e87e9e25ec398a85a15dc0ec411adce4b79ae29d81851d
Instruction Fuzzy Hash: 73D01236394750B7EBA4B770EC0FFD67A1A9B04B20F015916B786EA1D0C9F0A801CB58

Function 0060BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0060BE93
GetLastError.KERNEL32 ref: 0060BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0060BEFC

Memory Dump Source

Source File: 00000000.00000002.1656493658.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1656479820.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656577753.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656639895.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656671280.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: d1835828c1b40b3eafbb35f30313d8890811ea7963f8744301e2e0a2c15978f8
Instruction ID: 63989cec4e200968c54cd1dcb3c9da8df53186ed9b056c532778199b91a88413
Opcode Fuzzy Hash: d1835828c1b40b3eafbb35f30313d8890811ea7963f8744301e2e0a2c15978f8
Instruction Fuzzy Hash: 1841B334644207AFCF298F64CC58AFBBBA6AF42760F14D169FA59972E1DB308D01CB50

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1327898630&timestamp=1727801468384 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=0jIR8A63mCRIzTBwmdGqIqWjWghRcH8gCIZLMboZZ11qnbl-WtS7MwujYzAzMhY1rElGXEhzAXUjlgxv3xejc8Rj61e-r23QsRNi-qfhq6hUAeHTv6WRTrrPuw-zJtP5S2B4KUXWcwZuoFnJW5cO3feC6VO7gzB-EcBh-CajFnwLqbnWYw
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EuaRpt6nfYoHfLm&MD=6Nzt8SER HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=EuaRpt6nfYoHfLm&MD=6Nzt8SER HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 005D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00612BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0063D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0063DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 0065AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 005D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0061065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 005D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 005D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 005D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre