Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523617
MD5:	9a7ab60c3dbe9ce509444cbad406e780
SHA1:	98a3cb0741ef82e1a40c322876f469eb1c0e2464
SHA256:	7623a2671d712b7e06555134bc022d04ca40320536d318cd9e2def298b819b9b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9A7AB60C3DBE9CE509444CBAD406E780)

chrome.exe (PID: 6568 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6332	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.iq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.iq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.iq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.iq(_.rq(c))+"&hl="+_.iq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.iq(m)+"/chromebook/termsofservice.html?languageCode="+_.iq(d)+"&regionCode="+_.iq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_80.3.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_80.3.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000003.1652998231.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1653374757.0000000000F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_86.3.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_80.3.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_80.3.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_86.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_86.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_80.3.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_80.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_80.3.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_80.3.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_80.3.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_86.3.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_80.3.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_80.3.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_80.3.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_86.3.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_80.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_80.3.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_86.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_80.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_80.3.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.1653359007.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_80.3.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49784 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0056ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0056EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0055AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00589576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00589576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1651675260.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e959bd08-9
Source: file.exe, 00000000.00000000.1651675260.00000000005B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e2d9d049-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9fa2b8fb-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d19bfa8c-3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0055D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0055E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FBF40	0_2_004FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00562046	0_2_00562046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8060	0_2_004F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558298	0_2_00558298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E4FF	0_2_0052E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052676B	0_2_0052676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584873	0_2_00584873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FCAF0	0_2_004FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051CAA0	0_2_0051CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050CC39	0_2_0050CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00526DD9	0_2_00526DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050B119	0_2_0050B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F91C0	0_2_004F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511394	0_2_00511394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511706	0_2_00511706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051781B	0_2_0051781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050997D	0_2_0050997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7920	0_2_004F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005119B0	0_2_005119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517A4A	0_2_00517A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511C77	0_2_00511C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517CA7	0_2_00517CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057BE44	0_2_0057BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00529EEE	0_2_00529EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00511F32	0_2_00511F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0050F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00510A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@31/30@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005637B5 GetLastError,FormatMessageW,

0_2_005637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005510BF AdjustTokenPrivileges,CloseHandle,		0_2_005510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0055D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0056648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004F42A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510A76 push ecx; ret

0_2_00510A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0050F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00581C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00581C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-69596

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0055DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005668EE FindFirstFileW,FindClose,	0_2_005668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0056698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0055D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00569642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0056979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00569B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00565C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00565C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056EAA2 BlockInput,

0_2_0056EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00522622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00514CE8 mov eax, dword ptr fs:[00000030h]

0_2_00514CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00550B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00550B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00522622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0051083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005109D5 SetUnhandledExceptionFilter,	0_2_005109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00510C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00510C21

Source: C:\Users\user\Desktop\file.exe

0_2_00551201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00532BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00532BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055B226 SendInput,keybd_event,

0_2_0055B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005722DA

Source: C:\Users\user\Desktop\file.exe

0_2_00550B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00551663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00551663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510698 cpuid

0_2_00510698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00568195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00568195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0052BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6332, type: MEMORYSTR

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6332, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00571204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00571806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00571806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Virtualization/Sandbox Evasion	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	2 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	15 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	unknown
www3.l.google.com	142.250.186.174	true	false	unknown
play.google.com	142.250.185.238	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
youtube.com	172.217.16.142	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_80.3.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_80.3.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_86.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_80.3.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_86.3.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_80.3.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_80.3.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_80.3.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_80.3.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_80.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.238	play.google.com	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
172.217.16.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523617
Start date and time:	2024-10-01 20:53:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@31/30@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.67, 142.250.181.238, 108.177.15.84, 34.104.35.123, 142.250.186.67, 142.250.186.131, 142.250.181.234, 216.58.212.138, 142.250.185.106, 142.250.185.138, 142.250.185.170, 142.250.185.74, 142.250.186.106, 142.250.186.42, 142.250.186.74, 172.217.18.10, 216.58.206.42, 142.250.184.234, 142.250.186.170, 142.250.184.202, 142.250.185.202, 142.250.185.234, 172.217.16.202, 142.250.74.202, 172.217.16.138, 142.250.186.138, 216.58.206.74, 199.232.210.172, 192.229.221.95, 142.250.184.227, 74.125.71.84, 142.250.186.142
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://sharing.clickup.com/9011385758/t/h/868a15nvk/VTTN7SYFPHZE3IT	Get hash	malicious	HTMLPhisher	Browse
	PO#150623.html	Get hash	malicious	Unknown	Browse
	https://finalstepgetshere.com/uploads/beta111.zip	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	Translink_rishi.vasandani_Advice81108.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://finalstepgetshere.com/uploads/beta9.zip	Get hash	malicious	LummaC	Browse
	https://hwvtu.us17.list-manage.com/track/click?u=b34582412f60404066a5f49b0&id=a034dac789&e=6353042e9a	Get hash	malicious	Unknown	Browse
	http://innerglowjourney.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	PO#150623.html	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	https://finalstepgetshere.com/uploads/beta111.zip	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	4.175.87.197 184.28.90.27
	Translink_rishi.vasandani_Advice81108.pdf	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	https://finalstepgetshere.com/uploads/beta9.zip	Get hash	malicious	LummaC	Browse	4.175.87.197 184.28.90.27
	https://hwvtu.us17.list-manage.com/track/click?u=b34582412f60404066a5f49b0&id=a034dac789&e=6353042e9a	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	http://innerglowjourney.com	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 184.28.90.27
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27
	$R3ET6JM.htm	Get hash	malicious	Unknown	Browse	4.175.87.197 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.3750044852869046
Encrypted:	false
SSDEEP:	48:o7zfN/cD498xdg+Y5jNQ8js6npwk0OmNAEZbpMzR4EQBcW5QcHj9KWfGAeFKRrw:oCD9dA5jOEGh+EFqR4rhqUhzff9w
MD5:	39693D34EE3D1829DBB1627C4FC6687B
SHA1:	A03303C2F027F3749B48D5134D1F8FB3E495C6E9
SHA-256:	03B0C1B4E402E0BCF75D530DD9085B25357EEFD09E238453DE1F3A042542C076
SHA-512:	AC0749EDC33DA0EC0E40470388DD797B6528AD08B8FAC1C2AC42F85198131052BA1B533E90409D35DA237607E8B07D591FA6BA580B6A90B0D0AB2282A01F7585
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var bA=function(a){_.X.call(this,a.Fa)};_.J(bA,_.X);bA.Ba=_.X.Ba;bA.prototype.wR=function(a){return _.af(this,{Wa:{HS:_.ol}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.oi(function(e){window._wjdc=function(f){d(f);e(PJa(f,b,a))}}):PJa(c,b,a)})};var PJa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.HS.wR(c)};.bA.prototype.aa=function(a,b){var c=_.csa(b).Gj;if(c.startsWith("$")){var d=_.jm.get(a);_.xq[b]&&(d\|\|(d={},_.jm.set(a,d)),d[c]=_.xq[b],delete _.xq[b],_.yq--);if(d)if(a=d[c])b=_.ef(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.iu(_.Mfa,bA);._.l();._.k("SNUn3");._.OJa=new _.uf(_.Ag);._.l();._.k("RMhBfe");.var QJa=function(a){var b=_.wq(a);return b?new _.oi(function(c,d){var e=function(){b=_.wq(a);var f=_.Tfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32499
Entropy (8bit):	5.361345284201954
Encrypted:	false
SSDEEP:	768:mLX1O+aL6fgyIiREM4RKmh90toLoTswtF3ATcbDR6kIsnJd9DPyMv/FI:U2M4oltoLoTswtFoc/tIsnXFLI
MD5:	D5C3FB8EAE24AB7E40009338B5078496
SHA1:	5638BF5986A6445A88CD79A9B690B744B126BEC2
SHA-256:	597C14D360D690BCFDC2B8D315E6BB8879AEF33DE6C30D274743079BDB63C6B0
SHA-512:	6AE434850D473BEF15AA694AB4862596982CDDA6BD3991991D3ADD8F4A5F61DFBF8756D0DA98B72EF083909D68CF7B6B148A6488E9381F92FBF15CCB20176A0E
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var qua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.gp("//www.google.com/images/cleardot.gif");_.rp(c)}this.ka=c};_.h=qua.prototype;_.h.Vc=null;_.h.QY=1E4;_.h.Iz=!1;_.h.TP=0;_.h.qJ=null;_.h.DU=null;_.h.setTimeout=function(a){this.QY=a};_.h.start=function(){if(this.Iz)throw Error("dc");this.Iz=!0;this.TP=0;rua(this)};_.h.stop=function(){sua(this);this.Iz=!1};.var rua=function(a){a.TP++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.om((0,_.eg)(a.JG,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.eg)(a.Xia,a),a.aa.onerror=(0,_.eg)(a.Wia,a),a.aa.onabort=(0,_.eg)(a.Via,a),a.qJ=_.om(a.Yia,a.QY,a),a.aa.src=String(a.ka))};_.h=qua.prototype;_.h.Xia=function(){this.JG(!0)};_.h.Wia=function(){this.JG(!1)};_.h.Via=function(){this.JG(!1)};_.h.Yia=function(){this.JG(!1)};._.h.JG=function(a){sua(this);a?(this.Iz=!1,this.da.call(this.ea,!0)):this.TP<=0?rua(this):(this.Iz=!1,

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.280977407061266
Encrypted:	false
SSDEEP:	48:o7YNJvl3WlENrpB3stYCIgMxILNH/wf7DVTBpdQrw:oApB8iDwYlGw
MD5:	4FB66582D37D04933F00E49C2FBA34D4
SHA1:	3DB09C53BBEB1EEB045A001356E498D8EF30915D
SHA-256:	A97DAC01ABFE3EB75C7C97D504E21BDDDADDB6EBE0B56B6A9A10CD3700CAB41B
SHA-512:	2AEB3A6CFFBF6EFA626EBDC9E11ACBAC04BFE986F98FBC050B2501898B289C67D392ED195D16ACC9565EF8784401ADA1E88188CDE3A7AB12D98BB5ED7D8A5711
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.zg(_.Kla);_.$z=function(a){_.X.call(this,a.Fa);this.aa=a.Wa.cache};_.J(_.$z,_.X);_.$z.Ba=function(){return{Wa:{cache:_.Zs}}};_.$z.prototype.execute=function(a){_.Gb(a,function(b){var c;_.df(b)&&(c=b.eb.jc(b.jb));c&&this.aa.oG(c)},this);return{}};_.iu(_.Qla,_.$z);._.l();._.k("ZDZcre");.var ZG=function(a){_.X.call(this,a.Fa);this.Nl=a.Ea.Nl;this.G3=a.Ea.metadata;this.aa=a.Ea.Ws};_.J(ZG,_.X);ZG.Ba=function(){return{Ea:{Nl:_.DG,metadata:_.HZa,Ws:_.AG}}};ZG.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Gb(a,function(c){var d=b.G3.getType(c.Md())===2?b.Nl.Pb(c):b.Nl.fetch(c);return _.Jl(c,_.EG)?d.then(function(e){return _.Jd(e)}):d},this)};_.iu(_.Vla,ZG);._.l();._.k("K5nYTd");._.GZa=new _.uf(_.Rla);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var GG=function(a){_.X.call(this,a.Fa);this.aa=a.Ea.ZP};_.J(GG,_.X);GG.Ba=func

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4070
Entropy (8bit):	5.362700670482359
Encrypted:	false
SSDEEP:	96:GUpT+TmXtdW1qsHFcn7t7CnyWYvNTcLaQOw:lpT+qXW1PFcn7tGnyWY1TGb
MD5:	ED368A20CB303C0E7C6A3E6E43C2E14F
SHA1:	429A5C538B45221F80405163D1F87912DD73C05A
SHA-256:	93BA77AD4B11E0A70C0D36576F0DF24E27F50001EA02BAA6D357E034532D97F2
SHA-512:	DE74BBADE910475DD245FFEFD4E1FD10137DE710B1C920D33BA52554911496E1339EF3C1F6D9D315CBC98A60ABE5687A3E7D8BEE483708E18D25722E794BDBE9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.zg(_.dqa);._.k("sOXFj");.var ou=function(a){_.X.call(this,a.Fa)};_.J(ou,_.X);ou.Ba=_.X.Ba;ou.prototype.aa=function(a){return a()};_.iu(_.cqa,ou);._.l();._.k("oGtAuc");._.oya=new _.uf(_.dqa);._.l();._.k("q0xTif");.var iza=function(a){var b=function(d){_.Zn(d)&&(_.Zn(d).Gc=null,_.yu(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Ku=function(a){_.et.call(this,a.Fa);this.Qa=this.dom=null;if(this.Vk()){var b=_.Jm(this.Mg(),[_.Om,_.Nm]);b=_.ri([b[_.Om],b[_.Nm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.cu(this,b)}this.Ra=a.Xl.Hda};_.J(Ku,_.et);Ku.Ba=function(){return{Xl:{Hda:function(a){return _.Ye(a)}}}};Ku.prototype.yp=function(a){return this.Ra.yp(a)};.Ku.prototype.getData=function(a){return this.Ra.getData(a)};Ku.prototype.vp=function(){_.Ft(this.d

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	697429
Entropy (8bit):	5.593310312179182
Encrypted:	false
SSDEEP:	6144:TYNlxfbDTYDhzCTNoygVWyJb5eGpbL2Mp15gI8seqfh53p+rrvV7i:T25bDTYB+qeGB+Nu
MD5:	92F0F5E28355D863ACB77313F1E675DE
SHA1:	8AD6F9B535D5B8952A4ADCCC57E4A4E0723F1E8D
SHA-256:	F903AE346609A2872554A3D8FFBDB1836CB5C8B7AAAED4C3F8296B887E03D833
SHA-512:	0C81A6CD850C6ACDBE9CCCBA00BBA34CDE1E09E8572814AE8E55DBED3C2B56F0B020359841F8217843B3403847DF46FA1C82229684F762A73C8110CE45898DAF
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (569)
Category:	downloaded
Size (bytes):	3471
Entropy (8bit):	5.5174491302699495
Encrypted:	false
SSDEEP:	96:ojAmjTJ/fJgpIcB7Fd2tilGBEMO/A6VxV08w:vUTJpgDJXM0ApJ
MD5:	2D999C87DD54C7FE6400D267C33FBB23
SHA1:	414C3A329C2760325EDBACBD7A221D7F8DBFEEE8
SHA-256:	76D55A1AFC1D39CB04D60EB04E45A538A0E75EE2871561C84CC89B1C13596BCC
SHA-512:	72D923BB71DD147139962FF8E2BD0E336E0F6409C212AC2F25387D0F3B4FC9365F5A6D40E2980BB1065534888362C97D6B7663E362D29166B5915D2A9DA7D238
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var Txa=function(){var a=_.Ke();return _.L(a,1)},Tt=function(a){this.Da=_.t(a,0,Tt.messageId)};_.J(Tt,_.w);Tt.prototype.Ha=function(){return _.Hj(this,1)};Tt.prototype.Va=function(a){return _.Yj(this,1,a)};Tt.messageId="f.bo";var Ut=function(){_.km.call(this)};_.J(Ut,_.km);Ut.prototype.ud=function(){this.jT=!1;Uxa(this);_.km.prototype.ud.call(this)};Ut.prototype.aa=function(){Vxa(this);if(this.hC)return Wxa(this),!1;if(!this.sV)return Vt(this),!0;this.dispatchEvent("p");if(!this.fP)return Vt(this),!0;this.jM?(this.dispatchEvent("r"),Vt(this)):Wxa(this);return!1};.var Xxa=function(a){var b=new _.gp(a.z4);a.WP!=null&&_.Mn(b,"authuser",a.WP);return b},Wxa=function(a){a.hC=!0;var b=Xxa(a),c="rt=r&f_uid="+_.sk(a.fP);_.fn(b,(0,_.eg)(a.ea,a),"POST",c)};.Ut.prototype.ea=function(a){a=a.target;Vxa(this);if(_.jn(a)){this.RJ=0;if(this.jM)this.hC=!1,this.dispatchEvent("r")

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.253939888205379
Encrypted:	false
SSDEEP:	48:o7BNJfeFb8L3A6FHqIy5Z+d70OCzSfvi/3fM/r8ZQzRrw:oFuILhFHrVCz0vLZz9w
MD5:	10FF6F99E3228E96AFD6E2C30EF97C0A
SHA1:	4AE3DCB8D1F5A0C302D5BAD9DFF5050A7A5E8130
SHA-256:	95E5546E1C7F311D07BB5050CC456A973E43BCC4777BA6014757376016537679
SHA-512:	116C0B1CAC98A27044100005545AB66BE5F4801D75DC259093A9F145B3A4ACD8DC1C360AF525F6DC8421CD54B675A78023D2ED8B57F5946A3969543758C673C9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.$Z=function(a){_.X.call(this,a.Fa);this.window=a.Ea.window.get();this.Mc=a.Ea.Mc};_.J(_.$Z,_.X);_.$Z.Ba=function(){return{Ea:{window:_.lu,Mc:_.vE}}};_.$Z.prototype.Mo=function(){};_.$Z.prototype.addEncryptionRecoveryMethod=function(){};_.a_=function(a){return(a==null?void 0:a.Go)\|\|function(){}};_.b_=function(a){return(a==null?void 0:a.N2)\|\|function(){}};_.OOb=function(a){return(a==null?void 0:a.Mp)\|\|function(){}};._.POb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.QOb=function(a){setTimeout(function(){throw a;},0)};_.$Z.prototype.WN=function(){return!0};_.iu(_.Dn,_.$Z);._.l();._.k("ziXSP");.var t_=function(a){_.$Z.call(this,a.Fa)};_.J(t_,_.$Z);t_.Ba=_.$Z.Ba;t_.prototype.Mo=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3346)
Category:	downloaded
Size (bytes):	22827
Entropy (8bit):	5.420322672717721
Encrypted:	false
SSDEEP:	384:/jqdWXWfyA20UUjDE8BSUxDJs16KHvSN34kaHaN+587SaXD2mLR0H:/jqdWXAUUjDE84Wi6KPSKjHaN+58+0J2
MD5:	2B29741A316862EE788996DD29116DD5
SHA1:	9D5551916D4452E977C39B8D69CF88DF2AAA462B
SHA-256:	62955C853976B722EFBB4C116A10DB3FF54580EDD7495D280177550B8F4289AB
SHA-512:	6E37C3258F07F29909763728DADE0CD40A3602D55D9099F78B37756926FCF2A50008B82876B518FEAF3E56617F0F7D1D37A73C346A99A58E6AD8BCD6689E9B15
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.pu.prototype.da=_.ca(38,function(){return _.vj(this,3)});_.Vy=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.Vy.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.Wy=function(){this.ka=!0;var a=_.Bj(_.jk(_.Fe("TSDtV",window),_.pya),_.pu,1,_.uj())[0];if(a){var b={};for(var c=_.n(_.Bj(a,_.qya,2,_.uj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Nj(d,1).toString();switch(_.xj(d,_.qu)){case 3:b[e]=_.Lj(d,_.pj(d,_.qu,3));break;case 2:b[e]=_.Nj(d,_.pj(d,_.qu,2));break;case 4:b[e]=_.Oj(d,_.pj(d,_.qu,4));break;case 5:b[e]=_.L(d,_.pj(d,_.qu,5));break;case 6:b[e]=_.Sj(d,_.kf,6,_.qu);break;default:throw Error("id`"+_.xj(d,_.qu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.Wy.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Fe("nQyAE",window)){var b=_.sya(a.flagName);if(b===null)a=a.def

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5049
Entropy (8bit):	5.317800104741948
Encrypted:	false
SSDEEP:	96:oHX9gPiPrfnHhsB0TR6kg1oDPJzLmM18Vh1z2fEZ54TZtnqj6w:EtEAr6BmPZtOeEvW/ncP
MD5:	CE53EF566B68CCF2D62FA044CFB0D138
SHA1:	F48EC60289F2B55E8B388601206888F8295B1EB1
SHA-256:	E6CC5114D92811D5DE0663266D4B63F367834AFA0FC3BAFA54F707038C59D010
SHA-512:	20B434881DE971E263669E6096C01665D4D35B0FBFF47D312A4A442645EE962A8CE6AD7E68246D4EE9691BD30D9B1DDCF7059226492E1B58CD3191B63B001E4D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.$Ma=_.y("wg1P6b",[_.OA,_.Fn,_.Rn]);._.k("wg1P6b");.var M5a;M5a=_.oh(["aria-"]);._.mJ=function(a){_.Y.call(this,a.Fa);this.Ja=this.ta=this.aa=this.viewportElement=this.La=null;this.Tc=a.Ea.qf;this.ab=a.Ea.focus;this.Lc=a.Ea.Lc;this.ea=this.Ei();a=-1*parseInt(_.Fo(this.Ei().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Fo(this.Ei().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.gf(this.getData("isMenuDynamic"),!1);b=_.gf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Sc(0),_.fu(this,.N5a(this,this.aa.el())));_.mF(this.oa())&&(a=this.oa().el(),b=this.De.bind(this),a.__soy_skip_handler=b)};_.J(_.mJ,_.Y);_.mJ.Ba=function(){return{Ea:{qf:_.SE,focus:_.BE,Lc:_.mu}}};_.mJ.prototype.pF=function(a){var b=a.source;this.La=b;var c;((c=a.data)==null?0:c.Jy)?(a=a.data.Jy,this.Ca=a==="MOUS

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	603951
Entropy (8bit):	5.789949489744101
Encrypted:	false
SSDEEP:	3072:x0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAT:xlgNmwwdnOsF98oNGuQRAYqXsI1+
MD5:	036BC6CEC1912EAA63C716C2A7494AFC
SHA1:	C32891F55B0D7A86DCE1BDBB7B84DB21C2A09F4F
SHA-256:	1A6181C3DFAEE5919CE57152DCFFCDC4B151C5FB2969CFD62168C1711FF202CF
SHA-512:	0AAA2285D109114921B5FD8A15F9A3D1F218AF8C61054B3925965E6753F8A49B45798326EA986C4A6B6180B6C36292A4652E2BA730C7505684DAAA4B5C314675
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGsNipZrCRRMFQh1-tVmHSsIDzQTA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.316515499943097
Encrypted:	false
SSDEEP:	24:kMYD7DduJqrxsNL90YIzFK/Hb5eNhz1uktdDuvKKKGbLZ99GbSSF/ZR8OkdnprGJ:o7DQJopFN+ASCKKGbF99GbSS3RY7rw
MD5:	D97AB4594FC610665FF2763A650EE6A8
SHA1:	5C7459CA838D27BE45745571D8D96D156F4B9F8D
SHA-256:	767D778369623FD8F5FB98D3BCC3130D05D02CBE0B9B88DD226F43281B14E9AF
SHA-512:	CE4941B41C3A8CC983C1BBCC87EF682823CB9DB24EA7A570E35BBF832046340D433F7D47211384B61FA38F3527CC35C195A6068CCB24B48E1F492C5B4D4192A1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.HZa=new _.uf(_.Km);._.l();._.k("P6sQOc");.var MZa=!!(_.Nh[1]&16);var OZa=function(a,b,c,d,e){this.ea=a;this.ta=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=NZa(this)},PZa=function(a){var b={};_.Ma(a.hS(),function(e){b[e]=!0});var c=a.WR(),d=a.cS();return new OZa(a.XO(),c.aa()1E3,a.oR(),d.aa()1E3,b)},NZa=function(a){return Math.random()Math.min(a.taMath.pow(a.ka,a.aa),a.Ca)},HG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var IG=function(a){_.X.call(this,a.Fa);this.da=a.Ea.mV;this.ea=a.Ea.metadata;a=a.Ea.lga;this.fetch=a.fetch.bind(a)};_.J(IG,_.X);IG.Ba=function(){return{Ea:{mV:_.KZa,metadata:_.HZa,lga:_.AZa}}};IG.prototype.aa=function(a,b){if(this.ea.getType(a.Md())!==1)return _.Vm(a);var c=this.da.JU;return(c=c?PZa(c):null)&&HG(c)?_.mya(a,QZa(this,a,b,c)):_.Vm(a)};.var QZa=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.3872171131917925
Encrypted:	false
SSDEEP:	192:FK/pAzN7GZ068Hqhqu6DQaVapzYjgKItwdiwUsYRTi1j1t9bRl9:FqI7GZ04dRYjghtgisYYbt9ll9
MD5:	AB70454DE18E1CE16E61EAC290FC304D
SHA1:	68532B5E8B262D7E14B8F4507AA69A61146B3C18
SHA-256:	B32D746867CC4FA21FD39437502F401D952D0A3E8DC708DFB7D58B85F256C0F1
SHA-512:	A123C517380BEF0B47F23A5A6E1D16650FE39D9C701F9FA5ADD79294973C118E8EA3A7BA32CB63C3DFC0CE0F843FB86BFFCAA2AAE987629E7DFF84F176DEBB98
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/ck=boq-identity.AccountsSignInUi.gkspycgpiCY.L.B1.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGbG-r9dBZftM0U0ZDPTNCqugT4jw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.gNa=_.y("SD8Jgb",[]);._.QX=function(a,b){if(typeof b==="string")a.Nc(b);else if(b instanceof _.Ip&&b.ia&&b.ia===_.B)b=_.$a(b.ww()),a.empty().append(b);else if(b instanceof _.Wa)b=_.$a(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.RX=function(a){var b=_.Lo(a,"[jsslot]");if(b.size()>0)return b;b=new _.Jo([_.Qk("span")]);_.Mo(b,"jsslot","");a.empty().append(b);return b};_.TKb=function(a){return a===null\|\|typeof a==="string"&&_.Ki(a)};._.k("SD8Jgb");._.WX=function(a){_.Y.call(this,a.Fa);this.Ua=a.controller.Ua;this.kd=a.controllers.kd[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.WX,_.Y);_.WX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.hv},header:{jsname:"tJHJj",ctor:_.hv},nav:{jsname:"DH6Rkf",ct

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579812006017445
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	9a7ab60c3dbe9ce509444cbad406e780
SHA1:	98a3cb0741ef82e1a40c322876f469eb1c0e2464
SHA256:	7623a2671d712b7e06555134bc022d04ca40320536d318cd9e2def298b819b9b
SHA512:	0c6fc4f1c7418cce3716d4d6b7db71444ae44ea53121bf825509e77a86214d534a26d6f5b1563c3171211bc5439aa801e9f986cfb02ed49ff9acff1f734def50
SSDEEP:	12288:DqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaCTc:DqDEvCTbMWu7rQYlBQcBiT6rprG8aic
TLSH:	10159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC441F [Tue Oct 1 18:49:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2D5483F5B3h
jmp 00007F2D5483EEBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2D5483F09Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2D5483F06Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2D54841C5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2D54841CA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2D54841C91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95ac	0x9600	1c4b16972f534753e7e316851641af13	False	0.28596354166666665	data	5.164467572781099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x872	data			1.0050878815911193
RT_GROUP_ICON	0xdd02c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0a4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0b8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0cc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0e0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 20:53:59.925308943 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:53:59.925348997 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:53:59.925411940 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:53:59.926954031 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:53:59.926968098 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.600701094 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.602416992 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.602451086 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.602838039 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.602899075 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.603523970 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.603581905 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.605359077 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.605418921 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.605508089 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.605516911 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.651832104 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.893836021 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.894032955 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.894084930 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.896131039 CEST	49731	443	192.168.2.4	172.217.16.142
Oct 1, 2024 20:54:00.896148920 CEST	443	49731	172.217.16.142	192.168.2.4
Oct 1, 2024 20:54:00.906972885 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:00.906994104 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:00.907057047 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:00.907252073 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:00.907264948 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.649287939 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.649652004 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:01.649682045 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.650105000 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.650434017 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:01.650834084 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.651947975 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:01.651947975 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:01.652015924 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.652143955 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:01.652152061 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:01.698489904 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:02.075073004 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:02.075093985 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:02.075191021 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:02.075229883 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:02.077486992 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:02.077486992 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:02.383207083 CEST	49736	443	192.168.2.4	142.250.185.174
Oct 1, 2024 20:54:02.383236885 CEST	443	49736	142.250.185.174	192.168.2.4
Oct 1, 2024 20:54:04.190146923 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.190200090 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.190264940 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.190494061 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.190507889 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.756365061 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:04.756429911 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:04.756500006 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:04.758131027 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:04.758147001 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:04.851352930 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.851808071 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.851845026 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.852899075 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.852967978 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.854346037 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.854418039 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.899008989 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:04.899027109 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:04.951157093 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:05.458724976 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.458790064 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.467505932 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.467523098 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.467721939 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.518039942 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.563311100 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.607407093 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.749433041 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.749492884 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.749547005 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.749682903 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.749690056 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.749703884 CEST	49742	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.749708891 CEST	443	49742	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.778371096 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.778408051 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:05.778487921 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.778724909 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:05.778738022 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.431186914 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.431257010 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.435029984 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.435040951 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.435270071 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.436687946 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.483443975 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.707060099 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.707128048 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.707602024 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.714445114 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.714445114 CEST	49745	443	192.168.2.4	184.28.90.27
Oct 1, 2024 20:54:06.714462042 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:06.714489937 CEST	443	49745	184.28.90.27	192.168.2.4
Oct 1, 2024 20:54:09.235184908 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.235212088 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.235290051 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.236397028 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.236409903 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.967901945 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.968133926 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.968158960 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.968494892 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.968561888 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.969089985 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.969144106 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.970002890 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.970058918 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:09.970244884 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:09.970251083 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.023468018 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.341501951 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.341686964 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.341749907 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.341777086 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.341851950 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.341875076 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.341881990 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.341922998 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.344489098 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.344552040 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.349639893 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.349714041 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.349778891 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.349828959 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.352196932 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.352307081 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.356894970 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.356929064 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.356971979 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.356976032 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.357053995 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.430242062 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.430305958 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.430608034 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.430665016 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.430887938 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.430938959 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.436523914 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.436578989 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.436619997 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.436666012 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.443000078 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.443070889 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.451323032 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.451431036 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.451438904 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.456949949 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.456995964 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.457000971 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.462013960 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.462075949 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.462080956 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.462106943 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.462151051 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.462280989 CEST	49756	443	192.168.2.4	142.250.186.174
Oct 1, 2024 20:54:10.462291002 CEST	443	49756	142.250.186.174	192.168.2.4
Oct 1, 2024 20:54:10.504931927 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.504986048 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:10.505053997 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.505230904 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.505276918 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:10.547827005 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.547837973 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:10.547908068 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.548275948 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:10.548289061 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.158416033 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.159006119 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.159024000 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.159780979 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.159846067 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.160387993 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.160444975 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.161602020 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.161655903 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.162051916 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.162060022 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.213071108 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.221961975 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.222225904 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.222245932 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.222623110 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.222687006 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.223324060 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.223398924 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.223532915 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.223603010 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.223757029 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.223773003 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.275353909 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.478183031 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.478717089 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.478779078 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.480627060 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.480680943 CEST	443	49761	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.480709076 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.480734110 CEST	49761	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.482577085 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.482604980 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.482672930 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.483047962 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.483057976 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.524049997 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.524696112 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.524756908 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.525463104 CEST	49762	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.525480032 CEST	443	49762	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.527312994 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.527340889 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:11.527419090 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.528405905 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:11.528419971 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.176290035 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.176517963 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.176575899 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.177093029 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.177165985 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.178108931 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.178177118 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.178380013 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.178462982 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.178553104 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.178575993 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.178612947 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.216186047 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.216433048 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.216450930 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.216826916 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.216896057 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.217556953 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.217612982 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.217756987 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.217817068 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.217926979 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.217936039 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.217955112 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.219448090 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.228543043 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.259411097 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.259455919 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.393035889 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.394294977 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.394368887 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.409590006 CEST	49766	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.409631014 CEST	443	49766	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.416112900 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:12.435513020 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.437025070 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.437073946 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.437730074 CEST	49767	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:12.437746048 CEST	443	49767	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:12.459410906 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629276991 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629321098 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629347086 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629415989 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:12.629446983 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629489899 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:12.629739046 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629842997 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:12.629887104 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:12.638586998 CEST	49741	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:54:12.638602018 CEST	443	49741	216.58.206.68	192.168.2.4
Oct 1, 2024 20:54:15.764612913 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:15.764667034 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:15.764847994 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:15.766709089 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:15.766724110 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:16.619636059 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:16.619698048 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:16.628123999 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:16.628142118 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:16.628370047 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:16.680093050 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:17.623327971 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:17.663433075 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884054899 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884076118 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884083033 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884094954 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884102106 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884105921 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884176016 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:17.884223938 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884275913 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:17.884330988 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884391069 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:17.884397984 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884465933 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:17.884517908 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:18.257565975 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.257602930 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.257878065 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.258155107 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.258172989 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.479195118 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:18.479223967 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:18.479302883 CEST	49773	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:18.479309082 CEST	443	49773	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:18.884649038 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.886920929 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.886940002 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.887350082 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.887933016 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.888008118 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:18.888348103 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.888411999 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:18.888417959 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:19.124078035 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:19.125188112 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:19.125294924 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:19.126902103 CEST	49778	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:19.126920938 CEST	443	49778	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.105087042 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.105144024 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.105242014 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.105644941 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.105664015 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.419961929 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.420031071 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.420133114 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.420475006 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.420495033 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.450356960 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.450404882 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.450480938 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.450876951 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.450892925 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.800371885 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.800908089 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.800944090 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.801305056 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.801697969 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.801767111 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:41.801920891 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.801947117 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:41.801954031 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.099322081 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.099692106 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.099760056 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.099781036 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.100111008 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.100560904 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.100632906 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.100749016 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.100788116 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.100800037 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.100886106 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.100967884 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.101051092 CEST	49781	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.101083994 CEST	443	49781	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.132697105 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.132972002 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.132997036 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.133491039 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.133557081 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.134483099 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.134543896 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.134682894 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.134759903 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.135130882 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.135138988 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.135202885 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.175448895 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.182594061 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.358396053 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.358545065 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.358606100 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.359340906 CEST	49783	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.359359980 CEST	443	49783	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.400393963 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.401088953 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:42.401170969 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.401294947 CEST	49782	443	192.168.2.4	142.250.185.238
Oct 1, 2024 20:54:42.401336908 CEST	443	49782	142.250.185.238	192.168.2.4
Oct 1, 2024 20:54:55.414824009 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:55.414875031 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:55.414949894 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:55.415332079 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:55.415347099 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.202896118 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.202966928 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.207947016 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.207962990 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.208182096 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.219841003 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.267410040 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.538218975 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.538247108 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.538259983 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.538451910 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.538481951 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.538537979 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.539637089 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.539697886 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.539700985 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.539719105 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.539752007 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.539875984 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.539917946 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.544114113 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.544130087 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:54:56.544147968 CEST	49784	443	192.168.2.4	4.175.87.197
Oct 1, 2024 20:54:56.544152975 CEST	443	49784	4.175.87.197	192.168.2.4
Oct 1, 2024 20:55:04.243824005 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:04.243871927 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.243984938 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:04.244275093 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:04.244291067 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.889272928 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.889590025 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:04.889607906 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.890072107 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.890347004 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:04.890441895 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:04.944948912 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:10.354026079 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 1, 2024 20:55:10.664442062 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 1, 2024 20:55:11.273701906 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 1, 2024 20:55:11.539891005 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 1, 2024 20:55:11.539940119 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 1, 2024 20:55:11.539951086 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 1, 2024 20:55:11.539998055 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 1, 2024 20:55:11.540827990 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 1, 2024 20:55:11.540877104 CEST	49723	80	192.168.2.4	199.232.214.172
Oct 1, 2024 20:55:11.546945095 CEST	80	49723	199.232.214.172	192.168.2.4
Oct 1, 2024 20:55:14.802176952 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:14.802253008 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:55:14.802331924 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:28.445657969 CEST	49786	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:55:28.445702076 CEST	443	49786	216.58.206.68	192.168.2.4
Oct 1, 2024 20:56:04.306121111 CEST	49794	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:56:04.306163073 CEST	443	49794	216.58.206.68	192.168.2.4
Oct 1, 2024 20:56:04.306246996 CEST	49794	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:56:04.306601048 CEST	49794	443	192.168.2.4	216.58.206.68
Oct 1, 2024 20:56:04.306616068 CEST	443	49794	216.58.206.68	192.168.2.4
Oct 1, 2024 20:56:05.106683016 CEST	443	49794	216.58.206.68	192.168.2.4
Oct 1, 2024 20:56:05.148397923 CEST	49794	443	192.168.2.4	216.58.206.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 20:53:59.903976917 CEST	58450	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:53:59.904217958 CEST	58075	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:53:59.911494017 CEST	53	58450	1.1.1.1	192.168.2.4
Oct 1, 2024 20:53:59.912137032 CEST	53	50264	1.1.1.1	192.168.2.4
Oct 1, 2024 20:53:59.912214041 CEST	53	58075	1.1.1.1	192.168.2.4
Oct 1, 2024 20:53:59.936718941 CEST	53	63570	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:00.898621082 CEST	54132	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:00.899322987 CEST	50973	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:00.905515909 CEST	53	54132	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:00.906482935 CEST	53	50973	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:00.940085888 CEST	53	51546	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:04.181104898 CEST	59349	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:04.181266069 CEST	52246	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:04.188561916 CEST	53	59349	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:04.189502001 CEST	53	52246	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:06.622824907 CEST	53	56467	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:09.223963022 CEST	57708	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:09.224098921 CEST	65035	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:09.231441975 CEST	53	57708	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:09.234739065 CEST	53	65035	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:10.496944904 CEST	50835	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:10.497082949 CEST	64587	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:54:10.503967047 CEST	53	64587	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:10.504553080 CEST	53	50835	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:12.067197084 CEST	53	61323	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:17.835619926 CEST	53	64688	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:21.937952995 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 20:54:36.720938921 CEST	53	56331	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:59.456259012 CEST	53	57471	1.1.1.1	192.168.2.4
Oct 1, 2024 20:54:59.500484943 CEST	53	50880	1.1.1.1	192.168.2.4
Oct 1, 2024 20:55:11.540028095 CEST	53	61531	1.1.1.1	192.168.2.4
Oct 1, 2024 20:55:11.590785027 CEST	51363	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:55:11.590971947 CEST	58588	53	192.168.2.4	1.1.1.1
Oct 1, 2024 20:55:11.598130941 CEST	53	58588	1.1.1.1	192.168.2.4
Oct 1, 2024 20:55:11.598217964 CEST	53	51363	1.1.1.1	192.168.2.4
Oct 1, 2024 20:55:28.454504013 CEST	53	51558	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 20:53:59.903976917 CEST	192.168.2.4	1.1.1.1	0x8acc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:53:59.904217958 CEST	192.168.2.4	1.1.1.1	0xa96a	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 20:54:00.898621082 CEST	192.168.2.4	1.1.1.1	0x92e4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.899322987 CEST	192.168.2.4	1.1.1.1	0xb42d	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 20:54:04.181104898 CEST	192.168.2.4	1.1.1.1	0xe649	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:04.181266069 CEST	192.168.2.4	1.1.1.1	0x838	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 20:54:09.223963022 CEST	192.168.2.4	1.1.1.1	0xa166	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:09.224098921 CEST	192.168.2.4	1.1.1.1	0x9f14	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 20:54:10.496944904 CEST	192.168.2.4	1.1.1.1	0xa31e	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:10.497082949 CEST	192.168.2.4	1.1.1.1	0x7e51	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 1, 2024 20:55:11.590785027 CEST	192.168.2.4	1.1.1.1	0xeddb	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:55:11.590971947 CEST	192.168.2.4	1.1.1.1	0x5b91	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 20:53:59.911494017 CEST	1.1.1.1	192.168.2.4	0x8acc	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:53:59.912214041 CEST	1.1.1.1	192.168.2.4	0xa96a	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.905515909 CEST	1.1.1.1	192.168.2.4	0x92e4	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:00.906482935 CEST	1.1.1.1	192.168.2.4	0xb42d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 20:54:00.906482935 CEST	1.1.1.1	192.168.2.4	0xb42d	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 20:54:04.188561916 CEST	1.1.1.1	192.168.2.4	0xe649	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:04.189502001 CEST	1.1.1.1	192.168.2.4	0x838	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 20:54:09.231441975 CEST	1.1.1.1	192.168.2.4	0xa166	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 20:54:09.231441975 CEST	1.1.1.1	192.168.2.4	0xa166	No error (0)	www3.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:54:09.234739065 CEST	1.1.1.1	192.168.2.4	0x9f14	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 20:54:10.504553080 CEST	1.1.1.1	192.168.2.4	0xa31e	No error (0)	play.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 20:55:11.598217964 CEST	1.1.1.1	192.168.2.4	0xeddb	No error (0)	play.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.217.16.142	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:00 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:00 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 18:54:00 GMT Date: Tue, 01 Oct 2024 18:54:00 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.185.174	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:01 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:02 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 18:54:01 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 19:24:01 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=-HEHi4KXwV4; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=ZN9J684_nNc; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 18:54:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgWg%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 18:54:01 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:05 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 18:54:05 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=165105 Date: Tue, 01 Oct 2024 18:54:05 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 18:54:06 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=165048 Date: Tue, 01 Oct 2024 18:54:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 18:54:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	142.250.186.174	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:09 UTC	1236	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1880340354&timestamp=1727808848108 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:10 UTC	1958	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-hHioWRgU6UK4Tu4V6WyP8A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 18:54:10 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtDikmII0JBikPj6kkkLiJ3SZ7CGAHHSv_OsJUB8ufsS63UgLpK4wtoCxELcHJe6Pm5nEzjRuCJeSS8pvzA-MyU1rySzpDIlPzcxMy85Pz87M7W4OLWoLLUo3sjAyMTA0shIz8AivsAAAEHtKeo" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 37 36 31 38 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 68 48 69 6f 57 52 67 55 36 55 4b 34 54 75 34 56 36 57 79 50 38 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7618<html><head><script nonce="hHioWRgU6UK4Tu4V6WyP8A">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 63 5b 31 5d 29 69 66 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b Data Ascii: c[1])if(b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 61 29 7d 2c 49 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 Data Ascii: a)},Ia=function(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}els
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 3f 61 2e 74 6f 4a 53 4f 4e 28 29 3a 49 61 28 61 29 7d 2c 53 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 Data Ascii: ?a.toJSON():Ia(a)},Sa=function(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 20 62 28 63 2b 28 66 7c 7c 22 22 29 2b 22 5f 22 2b 64 2b 2b 2c 66 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b Data Ascii: b(c+(f\|\|"")+"_"+d++,f)};return e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 Data Ascii: rn!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=f
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 6b 65 79 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 Data Ascii: key})};c.prototype.values=function(){return e(this,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=f
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 28 62 29 7b 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 62 29 3f 62 3d 3d 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 62 29 3a 21 31 7d 7d 29 3b 47 28 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 Data Ascii: (b){return Number.isFinite(b)?b===Math.floor(b):!1}});G("Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)i
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 66 2c 61 29 7d 3b 76 61 72 20 78 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 7c 7c 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d Data Ascii: f,a)};var xa=function(a,b){a.__closure__error__context__984382\|\|(a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({m
2024-10-01 18:54:10 UTC	1958	IN	Data Raw: 22 2c 20 22 29 3b 76 61 72 20 66 3d 64 5b 65 5d 3b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 66 29 7b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 66 3d 66 3f 22 6f 62 6a 65 63 74 22 3a 22 6e 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c Data Ascii: ", ");var f=d[e];switch(typeof f){case "object":f=f?"object":"null";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49761	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:11 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:11 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49762	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:11 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:11 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:11 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49766	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:12 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:12 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 38 38 34 39 33 38 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727808849384",null,null,null
2024-10-01 18:54:12 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=emBMJCQHm0H2aRNgx2ZiTOQD0re0badIpa9Sni60ikzQRriTH3J2nuXALfUGmJRHNPsdFPVxFCSh9yCSuTkAGXgilukFiI6HhVSFYOHvUt5LujGoLfxYlAo1OKO83XJy5lpDxUxVbV9WDNRBBLlhv8eKABfT-DVBkb25I8aSz388ixJzf8Q; expires=Wed, 02-Apr-2025 18:54:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 18:54:12 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49767	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:12 UTC	1124	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:12 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 38 38 34 39 34 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727808849437",null,null,null
2024-10-01 18:54:12 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=CGx2bKNGxQ3M5su_bBratZ9w7JX4gzue_N7NbXgJOhTSkMaoQvban3KAZvUcEXcz3gU1bXkVToRO2xNx-YheZXTgQsP2iKlBn7k1KEnJOol5xURLBrIQJCY5XbzUvskg5J9WvYms41MhFjbMjXT3iAzC7xQUWAxKVGMEYmlNkQaZa11X1RA; expires=Wed, 02-Apr-2025 18:54:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:12 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 18:54:12 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:12 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	216.58.206.68	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:12 UTC	1017	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 18:54:12 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 17:34:06 GMT Expires: Wed, 09 Oct 2024 17:34:06 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 4806 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 18:54:12 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 18:54:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-01 18:54:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 18:54:12 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-01 18:54:12 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49773	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:17 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5Ou7fnsM9TT+8wN&MD=D8v1ExdO HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 18:54:17 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 6b98d45d-bf09-4e04-af97-5261bdc383ea MS-RequestId: 18e0e8a4-e980-44d2-aa05-f09e4edf50e6 MS-CV: Au9X3+Th+UuppD4K.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 18:54:17 GMT Connection: close Content-Length: 24490
2024-10-01 18:54:17 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 18:54:17 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49778	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:18 UTC	1299	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1215 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=CGx2bKNGxQ3M5su_bBratZ9w7JX4gzue_N7NbXgJOhTSkMaoQvban3KAZvUcEXcz3gU1bXkVToRO2xNx-YheZXTgQsP2iKlBn7k1KEnJOol5xURLBrIQJCY5XbzUvskg5J9WvYms41MhFjbMjXT3iAzC7xQUWAxKVGMEYmlNkQaZa11X1RA
2024-10-01 18:54:18 UTC	1215	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 30 38 38 34 37 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727808847000",null,null,null,
2024-10-01 18:54:19 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=Y-Warh1wVIf7q6eM_aE8g6IunJfyZto75OamvjHqZZ6CsuIB-eXg8bL9NlWWsav7jvAs2_Gth6zgeSjnxpPkjoXepQNIfm3_M_tg_aGK6otpcpHJXpTKAQbbd0xXGxdV2MwaptDGIaAVI7c29CCZm3RNyTgzufeyn0B1iFRmj7ygJbDdx1w0lgqXIvw; expires=Wed, 02-Apr-2025 18:54:18 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:19 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Tue, 01 Oct 2024 18:54:19 GMT Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49781	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:41 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1293 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Y-Warh1wVIf7q6eM_aE8g6IunJfyZto75OamvjHqZZ6CsuIB-eXg8bL9NlWWsav7jvAs2_Gth6zgeSjnxpPkjoXepQNIfm3_M_tg_aGK6otpcpHJXpTKAQbbd0xXGxdV2MwaptDGIaAVI7c29CCZm3RNyTgzufeyn0B1iFRmj7ygJbDdx1w0lgqXIvw
2024-10-01 18:54:41 UTC	1293	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 38 38 37 39 39 39 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727808879993",null,null,null
2024-10-01 18:54:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49782	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:42 UTC	1330	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1430 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Y-Warh1wVIf7q6eM_aE8g6IunJfyZto75OamvjHqZZ6CsuIB-eXg8bL9NlWWsav7jvAs2_Gth6zgeSjnxpPkjoXepQNIfm3_M_tg_aGK6otpcpHJXpTKAQbbd0xXGxdV2MwaptDGIaAVI7c29CCZm3RNyTgzufeyn0B1iFRmj7ygJbDdx1w0lgqXIvw
2024-10-01 18:54:42 UTC	1430	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 30 38 38 38 30 33 33 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727808880339",null,null,null
2024-10-01 18:54:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49783	142.250.185.238	443	1076	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:42 UTC	1290	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1038 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=Y-Warh1wVIf7q6eM_aE8g6IunJfyZto75OamvjHqZZ6CsuIB-eXg8bL9NlWWsav7jvAs2_Gth6zgeSjnxpPkjoXepQNIfm3_M_tg_aGK6otpcpHJXpTKAQbbd0xXGxdV2MwaptDGIaAVI7c29CCZm3RNyTgzufeyn0B1iFRmj7ygJbDdx1w0lgqXIvw
2024-10-01 18:54:42 UTC	1038	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 34 2e 30 32 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240924.02_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-01 18:54:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Tue, 01 Oct 2024 18:54:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-01 18:54:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-01 18:54:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49784	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 18:54:56 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5Ou7fnsM9TT+8wN&MD=D8v1ExdO HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 18:54:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 5314b69e-50f8-4723-ac7f-fdc95060ed67 MS-RequestId: 9f05c72b-2ceb-4dd5-98a8-db51cae926ea MS-CV: pIIkIbxP9k2IXne7.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 18:54:55 GMT Connection: close Content-Length: 30005
2024-10-01 18:54:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 18:54:56 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	14:53:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4f0000
File size:	917'504 bytes
MD5 hash:	9A7AB60C3DBE9CE509444CBAD406E780
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:53:57
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:53:58
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:54:09
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:54:09
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2084,i,13302933831953037132,5803645740188378487,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.4%
Total number of Nodes:	1425
Total number of Limit Nodes:	47

Executed Functions

Function 004F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004F430D

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetCurrentProcess.KERNEL32(?,0058CB64,00000000,?,?), ref: 004F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004F44A0

Strings

|O, xrefs: 005336F8
kernel32.dll, xrefs: 004F444F
GetNativeSystemInfo, xrefs: 004F4460

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction ID: 6b81fa5c1b001c5696f9db8654650fac93d5a236c42a967e1b7b4aedc5394d8f
Opcode Fuzzy Hash: 710b43d934ff1eed517e4edb07e14542cce83ec1f580481210aa4026e0b72be8
Instruction Fuzzy Hash: 26A1143191AEC4CFC712C7A87C419A63FA47B73F48B145D99D441A3A23D638460DEB2E

Function 004F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F50AA,?,?,00000000,00000000), ref: 004F42C9
LoadResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335BE
SizeofResource.KERNEL32(?,00000000,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20), ref: 005335D3
LockResource.KERNEL32(004F50AA,?,?,004F50AA,?,?,00000000,00000000,?,?,?,?,?,?,004F4F20,?), ref: 005335E6

Strings

SCRIPT, xrefs: 004F42BF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction ID: a1656488022dcaf32c65ef728da209c720ff0fbd563d9dde438c271eac9d1236
Opcode Fuzzy Hash: 15f83ed939a37e651509a092ae384fc5d9a62843a479c99c2ec9075e1183d44a
Instruction Fuzzy Hash: 47117C74200704BFE7218B65DC48F277FB9EBD5B91F1081AAF902A66A0DB71D8049B30

Function 00532BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005B2224), ref: 00532C10
ShellExecuteW.SHELL32(00000000,?,?,005B2224), ref: 00532C17

Strings

runas, xrefs: 00532C0B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d1ee14e64f9802ee53ab2054c8149aa83b96f02889f43ad6b922d2f90a383f14
Instruction ID: 1e1a4abb521f2d19feecc91ce96f6e213c0b1725f8985747473072b63dce7234
Opcode Fuzzy Hash: d1ee14e64f9802ee53ab2054c8149aa83b96f02889f43ad6b922d2f90a383f14
Instruction Fuzzy Hash: 4911E7311087496ECB05FF61D852EBEBBE4AB91745F04141FF742520A3DF789909D71A

Function 0055D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Process32NextW.KERNEL32(00000000,?), ref: 0055D52F
CloseHandle.KERNELBASE(00000000), ref: 0055D5DC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: eda02c89e49480e65e48f2b8ebc0a9726304409f9239f3f936033e57bd4231ac
Instruction ID: 3e7d0f6ed1dcbe74b3832d36a982f1d13412bd6f21aa4dccb6748b74ff99dddd
Opcode Fuzzy Hash: eda02c89e49480e65e48f2b8ebc0a9726304409f9239f3f936033e57bd4231ac
Instruction Fuzzy Hash: 3B3192720082059FD310EF54C895ABFBFF8AF99344F14092EF985921A1EB719948CBA2

Function 0055DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00535222), ref: 0055DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0055DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0055DBEE
FindClose.KERNEL32(00000000), ref: 0055DBFA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction ID: 6eaccaa566848c88fa641c5c01fb2f7fc7fb9f78c5503ddcb22ee4b0fce20b12
Opcode Fuzzy Hash: 4b2d7073b9073fd5d5d27be9d3b8f32dc83ba13fb61b89dcfaf34d4b36ed428b
Instruction Fuzzy Hash: D0F08C328109109782306B68AC0D8AE3FBCAE41336B104702FC77D20E0EBB06D5C9AA5

Function 00514CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D09
TerminateProcess.KERNEL32(00000000,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000,?,005228E9), ref: 00514D10
ExitProcess.KERNEL32 ref: 00514D22

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction ID: 39dbaad73aeaeead5e5ab53279e6e4b1597345be37f9e8b97de0e9466a4e1658
Opcode Fuzzy Hash: f1faec4a13b9a7d7cb52d8299fb74dd9e1e665379c47b51032c74edd68721702
Instruction Fuzzy Hash: 16E0B631000148ABDF11AF54ED0DA983F69FF92B81B105414FC099A122CB35ED86EF90

Function 004FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#\, xrefs: 005407CE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#\
API String ID: 3964851224-2009390076
Opcode ID: d4b18263c395e78cc8b89004ad2dda88465eff95691a83399e2ab941b545b7f8
Instruction ID: 3020bb3dec30f43ca972c219665cbe904977c9c5ebc8bfd6b550369f27c3b636
Opcode Fuzzy Hash: d4b18263c395e78cc8b89004ad2dda88465eff95691a83399e2ab941b545b7f8
Instruction Fuzzy Hash: 63A27E705083458FD714DF14C580B6ABBE1FF89308F24896EEA8A8B392D775EC45CB96

Function 0057AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0057B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0057B1D4
_wcslen.LIBCMT ref: 0057B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0057B236
_wcslen.LIBCMT ref: 0057B332

Part of subcall function 005605A7: GetStdHandle.KERNEL32(000000F6), ref: 005605C6

_wcslen.LIBCMT ref: 0057B34B
_wcslen.LIBCMT ref: 0057B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057B3B6
GetLastError.KERNEL32(00000000), ref: 0057B407
CloseHandle.KERNEL32(?), ref: 0057B439
CloseHandle.KERNEL32(00000000), ref: 0057B44A
CloseHandle.KERNEL32(00000000), ref: 0057B45C
CloseHandle.KERNEL32(00000000), ref: 0057B46E
CloseHandle.KERNEL32(?), ref: 0057B4E3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 99ceabd4ca1622b87faec03269f36588c9d0a70dd5a8895744b34fe1bc868aa1
Instruction ID: 890f7f5d3bdd2ae729f8857758e9ee1b2664fb74599216ef257d29a7e3475c11
Opcode Fuzzy Hash: 99ceabd4ca1622b87faec03269f36588c9d0a70dd5a8895744b34fe1bc868aa1
Instruction Fuzzy Hash: F9F1CC315043009FEB24EF25D895B6EBBE1BF85314F14885EF9898B2A2CB35EC44DB52

Function 004FD730 Relevance: 21.6, APIs: 14, Instructions: 626windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004FD807
timeGetTime.WINMM ref: 004FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB28
TranslateMessage.USER32(?), ref: 004FDB7B
DispatchMessageW.USER32(?), ref: 004FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FDB9F
Sleep.KERNEL32(0000000A), ref: 004FDBB1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2f85e557c9f64f59f83f63765ed88312ebdd745392516f25e7ffd0586989f8b7
Instruction ID: cb4b04c06aa066c081c47a71e8d214bf79a7b0b1b70b6268f7affc4e0bd2f7f7
Opcode Fuzzy Hash: 2f85e557c9f64f59f83f63765ed88312ebdd745392516f25e7ffd0586989f8b7
Instruction Fuzzy Hash: 29420370A04646DFD728CF24C888FBABBA2FF85308F54451EF95587291C7B4E844DB9A

Function 004F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2D07
RegisterClassExW.USER32(00000030), ref: 004F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
LoadIconW.USER32(000000A9), ref: 004F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

TaskbarCreated, xrefs: 004F2D37
+, xrefs: 004F2CF0
0, xrefs: 004F2CE9
AutoIt v3 GUI, xrefs: 004F2D23

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction ID: 38ae9de8e31270e70104911f10ea1465e91f8326e97706ec39918a7c2c7628a0
Opcode Fuzzy Hash: 4104e8db21216a91a5109d7b010f76bf082969c465e70d000720e223168efe13
Instruction Fuzzy Hash: 8E21EFB5901608EFDB00DFA4E889A9DBFB4FB19700F00811AFA11B62A0D7B14548EFA5

Function 0053065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0053039A: CreateFileW.KERNELBASE(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

GetLastError.KERNEL32 ref: 0053076F
__dosmaperr.LIBCMT ref: 00530776
GetFileType.KERNELBASE(00000000), ref: 00530782
GetLastError.KERNEL32 ref: 0053078C
__dosmaperr.LIBCMT ref: 00530795
CloseHandle.KERNEL32(00000000), ref: 005307B5
CloseHandle.KERNEL32(?), ref: 005308FF
GetLastError.KERNEL32 ref: 00530931
__dosmaperr.LIBCMT ref: 00530938

Strings

H, xrefs: 005308BD

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction ID: e75f4dea61ff8f3cf903d26927cbddbb5e5a27b494e0f8332ad5281b5e4b3c9b
Opcode Fuzzy Hash: b38d3140aa378b2b2308e2419439a1aecb8001c9a5ba0cd84f0c2ced2a2faa39
Instruction Fuzzy Hash: AAA12736A002098FDF19AF68DC66BAD7FA0FB46320F14115DF811EB2D1DB319856DB91

Function 004F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005C1418,?,004F2E7F,?,?,?,00000000), ref: 004F3A78

Part of subcall function 004F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0053318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005331CE
RegCloseKey.ADVAPI32(?), ref: 00533210
_wcslen.LIBCMT ref: 00533277
_wcslen.LIBCMT ref: 00533286

Strings

Software\AutoIt v3\AutoIt, xrefs: 004F3560
\Include\, xrefs: 004F3527
Include, xrefs: 00533184, 005331C5
\, xrefs: 0053328C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 43922aff8a6b7ab7bd9114c24109b4520fbf2e81b726d915a38c4cc955ea4a11
Instruction ID: 25129ff110cfe01b9c40d73d85d2d515be9b8c2bd718ce4c30a745cca8c52120
Opcode Fuzzy Hash: 43922aff8a6b7ab7bd9114c24109b4520fbf2e81b726d915a38c4cc955ea4a11
Instruction Fuzzy Hash: 0D71BC714043459EC304EF66DC85DABBFE8FFA4B44F40092EF545931A0EB789A48CBA6

Function 004F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004F2B9D
LoadIconW.USER32(00000063), ref: 004F2BB3
LoadIconW.USER32(000000A4), ref: 004F2BC5
LoadIconW.USER32(000000A2), ref: 004F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004F2BEF
RegisterClassExW.USER32(?), ref: 004F2C40

Part of subcall function 004F2CD4: GetSysColorBrush.USER32(0000000F), ref: 004F2D07
Part of subcall function 004F2CD4: RegisterClassExW.USER32(00000030), ref: 004F2D31
Part of subcall function 004F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F2D42
Part of subcall function 004F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004F2D5F
Part of subcall function 004F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F2D6F
Part of subcall function 004F2CD4: LoadIconW.USER32(000000A9), ref: 004F2D85
Part of subcall function 004F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F2D94

Strings

0, xrefs: 004F2C0F
#, xrefs: 004F2C16
AutoIt v3, xrefs: 004F2C2F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction ID: 4c25a053c0cda6c17238a100147957fc0c0222691880fa5d0bb5ae76140035bf
Opcode Fuzzy Hash: 1ca4eb56aabf3c985de5b023b667a99d657d60f5c12d37b679070680c6c86c37
Instruction Fuzzy Hash: BD217C70E00B58AFDB109FA5EC44EA97FB4FB19F44F00041AEA00A26A1D3B54518EF98

Function 004F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004F316A,?,?), ref: 004F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004F316A,?,?), ref: 004F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004F316A,?,?), ref: 004F3232
CreatePopupMenu.USER32 ref: 004F3246
PostQuitMessage.USER32(00000000), ref: 004F3267

Strings

TaskbarCreated, xrefs: 004F322D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2a7710286592ffa9e25d1d345ad0463e69f07d98b8d991b3f9758ef59010b7a5
Instruction ID: 30b4f9664f4c61c5d099bca9711afec9f63e84147e5a875e400832471b4b7095
Opcode Fuzzy Hash: 2a7710286592ffa9e25d1d345ad0463e69f07d98b8d991b3f9758ef59010b7a5
Instruction Fuzzy Hash: 79414D31200908AEDB142FB89D0DF7A3E58F71634AF04011BFB06D5292CB79DE45A7AD

Function 004F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004F1459
CoUninitialize.COMBASE ref: 004F14F8
UnregisterHotKey.USER32(?), ref: 004F16DD
DestroyWindow.USER32(?), ref: 005324B9
FreeLibrary.KERNEL32(?), ref: 0053251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0053254B

Strings

close all, xrefs: 004F1454

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b30915d90afe231d9b9c4dd41e086401b28ac223dfd28be5f70907286a6d11b4
Instruction ID: 735fb3387b4a4a2dbfca8b00ed898671b0f2e9062b8bd1d07db6d1e852e97d44
Opcode Fuzzy Hash: b30915d90afe231d9b9c4dd41e086401b28ac223dfd28be5f70907286a6d11b4
Instruction Fuzzy Hash: 8BD19D31701612CFDB29EF15C499A39FBA4BF44704F1441AEE94AAB262CB34ED12CF55

Function 004F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004F1CAD,?), ref: 004F2CCF

Strings

edit, xrefs: 004F2CAC
AutoIt v3, xrefs: 004F2C89, 004F2C8E, 004F2C8F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction ID: ec3936e1dfff7423e7330c8ab5e7c5297f6e52e4640b00a036a758997baadac9
Opcode Fuzzy Hash: 6d4e602f80abdba1cb28af85e22bc9f6807da865f55936a0ed7bfb942426f658
Instruction Fuzzy Hash: 6FF0DA75640AD07EEB311717AC08E772EBDE7E7F54B01045EFD00A25A1C6751858EAB8

Function 004F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004F3B0F,SwapMouseButtons,00000004,?), ref: 004F3B83

Strings

Control Panel\Mouse, xrefs: 004F3B3E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction ID: a2cf8babd90cdc2959f8d9270765ea6519557d4e5fa51e242904d38edf7f2182
Opcode Fuzzy Hash: 627100c6bf53260b327327e2ceed15152bf757738cd1fe5057c097919bac7de3
Instruction Fuzzy Hash: 41115AB1511208FFDB208FA4DC48ABFBBB8EF00785B10445AA901E7211D235AE45A764

Function 004F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005333A2

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F3A04

Strings

Line: , xrefs: 005333EB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8f39d97298df3fbf888ba7e88641615fd52e348f8819cddedf00c0868af2e421
Instruction ID: e35f481acad3830aad2a56e68204144a77b16b5e6c2efed3f3fadf02d8b9fd56
Opcode Fuzzy Hash: 8f39d97298df3fbf888ba7e88641615fd52e348f8819cddedf00c0868af2e421
Instruction Fuzzy Hash: 1B31E471408708AED321EF10DC45FFBB7D8AB41719F00492FF69992191DB789A48C7DA

Function 004F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00532C8C

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 004F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F2DC4

Strings

X, xrefs: 00532C5A
`e[, xrefs: 00532C85

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e[
API String ID: 779396738-1307940800
Opcode ID: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction ID: 52e0ac121eb2c689d10b6842b1aa61fd34ce948ebe7801e52c91f912e6df340b
Opcode Fuzzy Hash: 392839ef67f744aa27b9c4a3d11d83f539c44bee301c27e9a73d644e40b2b657
Instruction Fuzzy Hash: CF219371A0069CAFDF01DF95C849BEE7BF8AF89304F00405AE505B7241DBB85A898F65

Function 0050FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00510668

Part of subcall function 005132A4: RaiseException.KERNEL32(?,?,?,0051068A,?,005C1444,?,?,?,?,?,?,0051068A,004F1129,005B8738,004F1129), ref: 00513304

__CxxThrowException@8.LIBVCRUNTIME ref: 00510685

Strings

Unknown exception, xrefs: 00510692

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5352e8b06440ec84872f09d35f66d53ac533f703afe88543bab8f1c09e8dff65
Instruction ID: 8f96a75297513f39aacb60dd3c8629d8886978e6489b32a93e9cf491dc14321a
Opcode Fuzzy Hash: 5352e8b06440ec84872f09d35f66d53ac533f703afe88543bab8f1c09e8dff65
Instruction Fuzzy Hash: 7AF0C83490020E77DF10BA64D84ACDD7F6D7E80350B604531B924959D1EFB1EAD5CA80

Function 004F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
Part of subcall function 004F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Part of subcall function 004F1B4A: RegisterWindowMessageW.USER32(00000004,?,004F12C4), ref: 004F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004F136A
OleInitialize.OLE32 ref: 004F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 005324AB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 79d8c41062ca1739c81054dcdbf3b75d87911e896c1d3f197d4072e0d64b090b
Instruction ID: 50f23171d1d50d3f26523bde95f7acb43213616b85e00c2da998aabd50526d04
Opcode Fuzzy Hash: 79d8c41062ca1739c81054dcdbf3b75d87911e896c1d3f197d4072e0d64b090b
Instruction Fuzzy Hash: 2C71DDB4805E048EC784EF7AA985E653EE0FBAB344754812ED50AD7363EB348008EF5C

Function 005286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005285CC,?,005B8CC8,0000000C), ref: 00528704
GetLastError.KERNEL32(?,005285CC,?,005B8CC8,0000000C), ref: 0052870E
__dosmaperr.LIBCMT ref: 00528739

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction ID: 52bb46692c306491314e821afa7082f42627cf7033d5a14563c39e46c4a08ae8
Opcode Fuzzy Hash: e424849e94679f182e983f637f1023ff31c03879b89160e592167d0d3d7041d5
Instruction Fuzzy Hash: 2D016B336066302AD624A6B4784DB7E2F49AFF3774F381519F8149B1D3EEB19C819290

Function 00501310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005017F6

Strings

CALL, xrefs: 005017C6

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8d277180d4ebfeee4e8ebaa18570021e8947cbe5ca8c20c7980522440b192654
Instruction ID: 5b9864dceb0e79ba70f9e0bc395327bbfab07143e252d92aae496a94cb6774d3
Opcode Fuzzy Hash: 8d277180d4ebfeee4e8ebaa18570021e8947cbe5ca8c20c7980522440b192654
Instruction Fuzzy Hash: 322289706086429FC714DF14C884B6EBFF1BF85318F18891DF4968B2A2D772E945CB96

Function 004F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6c3186963bcd9b8f05ba22494c9546872ecd6c3f3ff56d34ae0ed5d1d2d663b5
Instruction ID: 75ffe02f89301cfb2f30f79de331acd1449925692acfbde470288d26e499ddc6
Opcode Fuzzy Hash: 6c3186963bcd9b8f05ba22494c9546872ecd6c3f3ff56d34ae0ed5d1d2d663b5
Instruction Fuzzy Hash: 3631D170504B058FD720EF24D884BA7BBE4FB49749F00082EFA9983251E779AA48CB56

Function 004F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
Part of subcall function 004F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
Part of subcall function 004F4E90: FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EFD

Part of subcall function 004F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
Part of subcall function 004F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
Part of subcall function 004F4E59: FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction ID: bcdd7d6bc77b4f7cd1ba907a2acdaaec4c270f5dcc1dee7ef3c3b3ebcb13a524
Opcode Fuzzy Hash: 33567cadc3559736a15d67c546520b173f55d25d6c7b6946374efa088c82bcd3
Instruction Fuzzy Hash: DD112731600209ABCB10BF61DC02FBE7BA5AF80714F10842EF646B71C1DE789E459764

Function 00528402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00528440

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction ID: 082fad20926c69eb69d7223b01b577125ad287d83e74747e7e3642efbeef6a2b
Opcode Fuzzy Hash: e5cfaa086d7a222c1e952dbffbc000d65fe1efedfae357622860697dd246e953
Instruction Fuzzy Hash: DC11487190420AAFCF05DF98E9409AE7BF4FF49304F144059F808AB352DA30DA21CBA4

Function 00525000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00524C7D: RtlAllocateHeap.NTDLL(00000008,004F1129,00000000,?,00522E29,00000001,00000364,?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?), ref: 00524CBE

_free.LIBCMT ref: 0052506C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3ad2b5111f9dd7850ed5ad519982c5cb88723445dbc162a47095ab69346673d6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 1F0126722047156BE3218F69AC89A5AFFECFFCA370F65051DE184932C0EA30A805C6B4

Function 0051E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d03c47c2122cc62064b9c27c73e0860f4307581dec9a1fb5ec985190622a2973
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 7DF0F936511A21A6E7313A65BC0EBD63F98BFD3374F100B15F825921D1CB70A881C6A5

Function 00524C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004F1129,00000000,?,00522E29,00000001,00000364,?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?), ref: 00524CBE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction ID: 4d888ff893b205f20a96ecaf919b331fc856b841ac174b740e77b6a88ec0fee6
Opcode Fuzzy Hash: b277da0f6ff37d818e56ea6539910725da6082fa176a43b7fd447460c2f3b0d8
Instruction Fuzzy Hash: 08F0E93260263567EB215F7AFC09F9A3F88BF937A0B144121BC15B62C1CA70DC019EE0

Function 00523820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction ID: ad865d6f532c1a5a7ca3659fb72beee7a6791d03a7dadaec02eb50ba58210594
Opcode Fuzzy Hash: 90f8b6505b1732639fc522c52f318cdbc8564122b29d56c0b81c938359946cf2
Instruction Fuzzy Hash: FFE0E53210263556E7212676BC08BDA3E59BF83BB0F160120BD159A5C1CB29DD0186E1

Function 004F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4F6D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction ID: d7084dd8f6dbea361986a4f05d3b5b5defb084ee19577c26fdf06f741958e4c9
Opcode Fuzzy Hash: 3fb90f22b1a6daa0449057c20518565b53f88af32d1c210f26f38dd0b0998eef
Instruction Fuzzy Hash: FCF03071505756CFDB349F64D494823BBE4BF54329310897FE6DE82621CB359888DF28

Function 004F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction ID: bdd1690961475d4ca8958c20a03d5555fd83813ec6f42d03eac9783d35eda6e4
Opcode Fuzzy Hash: cd0f8d9ff8f477f722120dcc95658485d95d264fbc007c315733a9fcc232525e
Instruction Fuzzy Hash: 8FF0A7709003489FEB529F24DC49BDA7BBCB70170CF0000E5A64896292DB744B9CCF55

Function 004F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F2DC4

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction ID: 417e5d9ffb9963d8a51002d53f1605a9559ffb1daafff0e7990d4f3dbaad772f
Opcode Fuzzy Hash: 0d482feaabd06241f9a37be74749a05fafa1c59015231a8d48fc93449f59757a
Instruction Fuzzy Hash: A8E0CD766001245BC71092589C05FEA77DDDFC8790F050075FD09E7248D974AD848664

Function 004F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F3908

Part of subcall function 004FD730: GetInputState.USER32 ref: 004FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 004F2B6B

Part of subcall function 004F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004F314E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction ID: 7fac817666d64708b1dad1579ea9a3a8b050021122ed13f78b462eb94510ddf0
Opcode Fuzzy Hash: 600933ce2bf0869388b08319e6d001cc562697ad7971b857fd4d394eba75ce5a
Instruction Fuzzy Hash: 0AE0863170464D0ACA08BF76985297DB799DBE239BF40253FF74247163CE6C89498359

Function 0053039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00530704,?,?,00000000,?,00530704,00000000,0000000C), ref: 005303B7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction ID: 44a3621e26ba06cf05dac4bcf07655560a08893ad5be0c7967ad02054c891931
Opcode Fuzzy Hash: 07409dd25b2d8edef6ca22cdae67376db4010d7eaeeaa41d3ac7f14503eb49a1
Instruction Fuzzy Hash: 58D06C3204010DBBDF028F84DD46EDA3FAAFB48714F014000BE1866020C732E821EB90

Function 004F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004F1CBC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction ID: a90d7fa9caaff05a4e8c045ac3ebd7fd49648594f0dcb7004e2a529174bcfef4
Opcode Fuzzy Hash: a63f26e07b35fd0b8b42d2fc65d35b9462081890446a1d7f08075c8a2c069182
Instruction Fuzzy Hash: 76C09B352807049FF6145780BC4AF117754A368F05F044401F609695E3C3F11414FB54

Non-executed Functions

Function 00589576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0058961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0058965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0058969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005896C9
SendMessageW.USER32 ref: 005896F2
GetKeyState.USER32(00000011), ref: 0058978B
GetKeyState.USER32(00000009), ref: 00589798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005897AE
GetKeyState.USER32(00000010), ref: 005897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005897E9
SendMessageW.USER32 ref: 00589810
SendMessageW.USER32(?,00001030,?,00587E95), ref: 00589918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0058992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00589941
SetCapture.USER32(?), ref: 0058994A
ClientToScreen.USER32(?,?), ref: 005899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005899D6
ReleaseCapture.USER32 ref: 005899E1
GetCursorPos.USER32(?), ref: 00589A19
ScreenToClient.USER32(?,?), ref: 00589A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589A80
SendMessageW.USER32 ref: 00589AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589AEB
SendMessageW.USER32 ref: 00589B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00589B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00589B4A
GetCursorPos.USER32(?), ref: 00589B68
ScreenToClient.USER32(?,?), ref: 00589B75
GetParent.USER32(?), ref: 00589B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00589BFA
SendMessageW.USER32 ref: 00589C2B
ClientToScreen.USER32(?,?), ref: 00589C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00589CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00589CDE
SendMessageW.USER32 ref: 00589D01
ClientToScreen.USER32(?,?), ref: 00589D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00589D82

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetWindowLongW.USER32(?,000000F0), ref: 00589E05

Strings

@GUI_DRAGID, xrefs: 0058997D
p#\, xrefs: 00589990
F, xrefs: 00589D07

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#\
API String ID: 3429851547-2312411218
Opcode ID: 8086d5d70a7ac36cc182a0c0e5ad15767fe74b1bad7b3f1527403d8dd57a81cc
Instruction ID: 8badfc9561f475c60ac917e63b0ee42ec16394514db9caec1b6a0a66564d3186
Opcode Fuzzy Hash: 8086d5d70a7ac36cc182a0c0e5ad15767fe74b1bad7b3f1527403d8dd57a81cc
Instruction Fuzzy Hash: 20428E74204201AFDB24EF29CC44EBABFE5FF49310F180A19FA59AB2A1E731D854DB51

Function 00584873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00584908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00584927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0058494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0058495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0058497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00584A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00584A7E
IsMenu.USER32(?), ref: 00584A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00584B20
GetWindowLongW.USER32(?,000000F0), ref: 00584B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00584BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00584C82
wsprintfW.USER32 ref: 00584CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00584D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00584D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00584D5A

Strings

%d/%02d/%02d, xrefs: 00584CA8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 416980b1b51d5b3914d1389945c051337f128e6f0ec34f1973a39f917cd6546f
Instruction ID: 84692f56d54df094ab99b6d76b13bda94f2af40562dcb3a3cd42f4333deb449d
Opcode Fuzzy Hash: 416980b1b51d5b3914d1389945c051337f128e6f0ec34f1973a39f917cd6546f
Instruction Fuzzy Hash: 1212DD71600256ABEB24AF29CC49FAE7FA8BF85310F104529FD16EB2E1DB749944CF50

Function 0050F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0050F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054F474
IsIconic.USER32(00000000), ref: 0054F47D
ShowWindow.USER32(00000000,00000009), ref: 0054F48A
SetForegroundWindow.USER32(00000000), ref: 0054F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4AA
GetCurrentThreadId.KERNEL32 ref: 0054F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0054F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0054F4DE
SetForegroundWindow.USER32(00000000), ref: 0054F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F4F6
keybd_event.USER32(00000012,00000000), ref: 0054F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F50B
keybd_event.USER32(00000012,00000000), ref: 0054F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F519
keybd_event.USER32(00000012,00000000), ref: 0054F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0054F528
keybd_event.USER32(00000012,00000000), ref: 0054F52D
SetForegroundWindow.USER32(00000000), ref: 0054F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0054F557

Strings

Shell_TrayWnd, xrefs: 0054F46F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction ID: 040998172391237c2394a19f9a5a558464fb10adf957ae3856088f5cedf8b2e7
Opcode Fuzzy Hash: ec01ec42f714478a5f00584687f9b3232483ea785d12ccd1b720b570131b7065
Instruction Fuzzy Hash: 61313D71A40218BBEF206BB99C4AFBF7E6CEB44B54F101465FA05F61D1DAB15900BBB0

Function 00551201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00551286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005512A8
CloseHandle.KERNEL32(?), ref: 005512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005512D1
GetProcessWindowStation.USER32 ref: 005512EA
SetProcessWindowStation.USER32(00000000), ref: 005512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00551310

Part of subcall function 005510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
Part of subcall function 005510BF: CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Strings

winsta0, xrefs: 005512CC
, xrefs: 0055125A
Z[, xrefs: 00551392
default, xrefs: 0055130B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z[
API String ID: 22674027-259235808
Opcode ID: ed266de52b2436257004cd809c875ff0dccbd9b3f8220ec985f66803c7e4232f
Instruction ID: 360275e3d7ec76c7616555425b1c3f517c71c40eed1c06711303305efabe5c1d
Opcode Fuzzy Hash: ed266de52b2436257004cd809c875ff0dccbd9b3f8220ec985f66803c7e4232f
Instruction Fuzzy Hash: 70816571900209ABDF209FA8DC59BEE7FB9BF04705F14612AFD10B62A0E7759948DB24

Function 00550B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550C00
GetLengthSid.ADVAPI32(?), ref: 00550C17
GetAce.ADVAPI32(?,00000000,?), ref: 00550C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550C6D
GetLengthSid.ADVAPI32(?), ref: 00550C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550C8C
HeapAlloc.KERNEL32(00000000), ref: 00550C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550CB4
CopySid.ADVAPI32(00000000), ref: 00550CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D45
HeapFree.KERNEL32(00000000), ref: 00550D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D55
HeapFree.KERNEL32(00000000), ref: 00550D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550D65
HeapFree.KERNEL32(00000000), ref: 00550D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00550D78
HeapFree.KERNEL32(00000000), ref: 00550D7F

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction ID: 70c9e8708403bf03fa38cba8f220288fc617fb1fdcced115bb38d29f21cb7547
Opcode Fuzzy Hash: 2c44276eb4fac266633b55dd2a34adf8fa35e7d0cdae396a28edd838bbb3c58d
Instruction Fuzzy Hash: C371577290020AABDF109FE4DC88BEEBFB8BF14341F145516ED14A6291D771AA09DBA0

Function 0056EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0058CC08), ref: 0056EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0056EB37
GetClipboardData.USER32(0000000D), ref: 0056EB43
CloseClipboard.USER32 ref: 0056EB4F
GlobalLock.KERNEL32(00000000), ref: 0056EB87
CloseClipboard.USER32 ref: 0056EB91
GlobalUnlock.KERNEL32(00000000), ref: 0056EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0056EBC9
GetClipboardData.USER32(00000001), ref: 0056EBD1
GlobalLock.KERNEL32(00000000), ref: 0056EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0056EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0056EC38
GetClipboardData.USER32(0000000F), ref: 0056EC44
GlobalLock.KERNEL32(00000000), ref: 0056EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0056EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0056ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0056ECF3
CountClipboardFormats.USER32 ref: 0056ED14
CloseClipboard.USER32 ref: 0056ED59

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction ID: c9c863b0a1d42e8128807c07a7bd9fd3fca913266d42b9985edf0ac3a1d34a2e
Opcode Fuzzy Hash: af8b1245ade00d29506a559efbe5230bc7c1c6554807a8b16f0d834335bec98b
Instruction Fuzzy Hash: 8D6100382042019FD300EF25D88AF3A7FA4BF94748F14551DF986A72A2DB31DD0ADB62

Function 0056698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005669BE
FindClose.KERNEL32(00000000), ref: 00566A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00566A75

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00566AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00566ADF

Strings

%02d, xrefs: 00566C00, 00566C0A, 00566C5A, 00566CAA, 00566CFA, 00566D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00566B6A
%03d, xrefs: 00566DA2
%4d, xrefs: 00566BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00566B32

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9a9cfee667905e759562fe046a914ee5cfa400e927ffbfaa52a6c07a674d61ad
Instruction ID: 50612131807932c9ea45901f6ce7e2af5916cb9e625fbc59b59dd6b9396f9ccf
Opcode Fuzzy Hash: 9a9cfee667905e759562fe046a914ee5cfa400e927ffbfaa52a6c07a674d61ad
Instruction Fuzzy Hash: 8DD13D71508344AEC310EBA5C985EBBB7ECBF98704F04491EF685D7191EB78DA44CB62

Function 00569642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00569663
GetFileAttributesW.KERNEL32(?), ref: 005696A1
SetFileAttributesW.KERNEL32(?,?), ref: 005696BB
FindNextFileW.KERNEL32(00000000,?), ref: 005696D3
FindClose.KERNEL32(00000000), ref: 005696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0056974A
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 00569768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00569772
FindClose.KERNEL32(00000000), ref: 0056977F
FindClose.KERNEL32(00000000), ref: 0056978F

Strings

*.*, xrefs: 005696F5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction ID: 613d1e513d4398a799695c2475fd3ba9b1659701256e6cd2ea3d0d21b45dafe0
Opcode Fuzzy Hash: 208f74cdc018d7eeda537fc60075144dfafdaa4470b23e06f6d9dbbfadbd25b6
Instruction Fuzzy Hash: 1431A4365402196ADF14AFB4DC49AEE7FACFF4A320F104155E916E3090EB34DD848B64

Function 0056979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00569819
FindClose.KERNEL32(00000000), ref: 00569824
FindFirstFileW.KERNEL32(*.*,?), ref: 00569840
SetCurrentDirectoryW.KERNEL32(?), ref: 00569890
SetCurrentDirectoryW.KERNEL32(005B6B7C), ref: 005698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005698B8
FindClose.KERNEL32(00000000), ref: 005698C5
FindClose.KERNEL32(00000000), ref: 005698D5

Part of subcall function 0055DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0055DB00

Strings

*.*, xrefs: 0056983B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction ID: 30d22dbda37ac4702e7fcd070c359d3ade509e71e17cbb0fddf16270ca085041
Opcode Fuzzy Hash: c477027f7297f15f8b07920eebcb0ede236dd4998c0e008ce15b58bffcbc289a
Instruction Fuzzy Hash: 1B31C33250021AAADB10AFB4EC48ADE7FACBF4A320F104155E951A30D0DB30DD89CB60

Function 0057BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0057BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0057BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0057C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0057C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0057C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0057C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057C382
RegCloseKey.ADVAPI32(00000000), ref: 0057C38F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: ad71086749c837b9378a3441bd6c844fca7b7425433bef9051144d292d482569
Instruction ID: 4f69cb4e77f666c89847f59e28dbf7581e7cabe8bb61a7bbb1361e956522601e
Opcode Fuzzy Hash: ad71086749c837b9378a3441bd6c844fca7b7425433bef9051144d292d482569
Instruction Fuzzy Hash: D9025A71604200AFD714DF28D895E2ABBE5BF89308F18C89DF84ADB2A2D731ED45DB51

Function 00568195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00568257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00568267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00568273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00568310
SetCurrentDirectoryW.KERNEL32(?), ref: 00568324
SetCurrentDirectoryW.KERNEL32(?), ref: 00568356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0056838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00568395

Strings

*.*, xrefs: 0056839B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction ID: 189874d7f63183032d5eea7b7837cf07e754c93e79a8c5c9656aaf366a0bf6ab
Opcode Fuzzy Hash: 6f5aee77c3f8542bb3ceb5934a6fd9030165e7a2abd808d92e02e6e3bb2f2113
Instruction Fuzzy Hash: D9617BB25043059FCB10EF60C8549AEBBE9FF89314F044D1EF98997251DB35E949CBA2

Function 0055D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0055D1DD
MoveFileW.KERNEL32(?,?), ref: 0055D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D237

Part of subcall function 0055D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0055D21C,?,?), ref: 0055D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0055D253
FindClose.KERNEL32(00000000), ref: 0055D264

Strings

\*.*, xrefs: 0055D0CD, 0055D0D6, 0055D0EB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3d212bbb0a37d72dfe8ebecd31127a86e776290398abaf14b6031e59689cba09
Instruction ID: e9a382211de712b2799bb90ac18d6f7fa9564648cd5522c20675f4a310246c00
Opcode Fuzzy Hash: 3d212bbb0a37d72dfe8ebecd31127a86e776290398abaf14b6031e59689cba09
Instruction Fuzzy Hash: B1619B7280110DAACF15EBE1C9A29FDBBB5BF54345F24406AE90277191EB346F0DDB60

Function 0056ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0056ED91
EmptyClipboard.USER32 ref: 0056ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0056EDAC
CloseClipboard.USER32 ref: 0056EEA3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction ID: d4814f4cc6aa0f270039c8cacc97e42a5bbedbb4bc6f1f5c6f35b846bd635439
Opcode Fuzzy Hash: 484c88fbfcdd7376e95b253a46c926bf3ef31241ff55a18ceb9b2f26f58d38d7
Instruction Fuzzy Hash: 0741BF39205611AFE310CF1AD889B29BFE5FF54318F14C49DE8559B6A2C736EC45CBA0

Function 0055E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
Part of subcall function 005516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
Part of subcall function 005516C3: GetLastError.KERNEL32 ref: 0055174A

ExitWindowsEx.USER32(?,00000000), ref: 0055E932

Strings

, xrefs: 0055E95C
SeShutdownPrivilege, xrefs: 0055E902
, xrefs: 0055E920
@, xrefs: 0055E925

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction ID: 6e02ccffd6f80384badbd461bab4c9313378efcea3054904244ee3a85c3d6a46
Opcode Fuzzy Hash: 38d2237c648123ea6380c07b11b3e0034bba17fe3c110107bc8c81ecc0301cce
Instruction Fuzzy Hash: 10012B72A10211ABEB1826B4ACABFBF7EBCBB14742F140823FC03F21D1D5605D4C82A4

Function 00571204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00571276
WSAGetLastError.WSOCK32 ref: 00571283
bind.WSOCK32(00000000,?,00000010), ref: 005712BA
WSAGetLastError.WSOCK32 ref: 005712C5
closesocket.WSOCK32(00000000), ref: 005712F4
listen.WSOCK32(00000000,00000005), ref: 00571303
WSAGetLastError.WSOCK32 ref: 0057130D
closesocket.WSOCK32(00000000), ref: 0057133C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction ID: c5d9ea76e231cc06d28e788fa0e18bae7de97c418bc0f3ed7cf1eae3ccdcf294
Opcode Fuzzy Hash: fca77574cad89dc30182c92e372d5ed3016a420c82386edea5f5f50f018e4d26
Instruction Fuzzy Hash: EA419E35600500AFD710DF29D488B29BBE6BF46318F18C089E95A9F293C775ED85DBE1

Function 0055D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

FindFirstFileW.KERNEL32(?,?), ref: 0055D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0055D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0055D481
FindClose.KERNEL32(00000000), ref: 0055D498
FindClose.KERNEL32(00000000), ref: 0055D4A1

Strings

\*.*, xrefs: 0055D3F2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction ID: 6d1b16761b6a5eb6fcac17e8cd2a52b35030be16440ab5b5fe25cdf948142b26
Opcode Fuzzy Hash: 69fe4d658b9a71738d7a8b47d96ee712f5bcf1b725726ff4d6a087e2898c2c8d
Instruction Fuzzy Hash: 8031D0720083459BC710EF65C8518BF7BE8BE91345F444E1EF9D292191EB74AA0DC767

Function 0052E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0052E645

Strings

1#IND, xrefs: 0052F83D
1#INF, xrefs: 0052F852
1#SNAN, xrefs: 0052F844
1#QNAN, xrefs: 0052F84B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction ID: 0574f376bc33559cc09ba7efaf3c72985f5f3345e9a121b983aa28ee6671ae3e
Opcode Fuzzy Hash: 4084081dcb3f9a4074d340d187b5b1dbea475fc33a4300e74d9285b0a1e2bc93
Instruction Fuzzy Hash: DDC24A72E046298BDB25CE28ED457EABBB5FF46304F1445EAD44DE7280E774AE818F40

Function 0056648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005664DC
CoInitialize.OLE32(00000000), ref: 00566639
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 00566650
CoUninitialize.OLE32 ref: 005668D4

Strings

.lnk, xrefs: 005664BA, 00566524, 005665E0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cf2ecfacbea9997c62521caa35700f6af093b76c48b08ecbc1486f9c2e96a4f5
Instruction ID: 9ffdec1bd3aac3a10d7f4459adaa38860b2d8eb9ffe59c6413c08c81d578e163
Opcode Fuzzy Hash: cf2ecfacbea9997c62521caa35700f6af093b76c48b08ecbc1486f9c2e96a4f5
Instruction Fuzzy Hash: D9D15B715083059FC314EF25C881A6BBBE8FF94708F40495DF5958B291DB74ED09CBA6

Function 005722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005722E8

Part of subcall function 0056E4EC: GetWindowRect.USER32(?,?), ref: 0056E504

GetDesktopWindow.USER32 ref: 00572312
GetWindowRect.USER32(00000000), ref: 00572319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00572355
GetCursorPos.USER32(?), ref: 00572381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005723DF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction ID: 228501f41f8024cb7aabebbf58eb37b14acb1b64d59ed46e96a41f273e9a2b68
Opcode Fuzzy Hash: 477f10ccaefb0224d5e0d95753b43118f720993409c2da4e824c673910a2ddb8
Instruction Fuzzy Hash: 0331CF72505315AFDB20DF14D849E5BBBEAFF84310F004919F989A7281DB34EA08DBA2

Function 00569B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00569B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00569C8B

Part of subcall function 00563874: GetInputState.USER32 ref: 005638CB
Part of subcall function 00563874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00569BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00569C75

Strings

*.*, xrefs: 00569B5D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b3696b8453c7c61586db5ff011a7d95b10be52ba9ce9b4b51e4694a41be798fd
Instruction ID: 0041019bb69537032638fdd6ef0e0350f21860ee22d33e6bc3b2c5aeacd504af
Opcode Fuzzy Hash: b3696b8453c7c61586db5ff011a7d95b10be52ba9ce9b4b51e4694a41be798fd
Instruction Fuzzy Hash: 37416D7190420A9FDF54EF64C989AEEBFB8FF45350F24415AE905A3191EB309E84CF64

Function 0050997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00509A4E
GetSysColor.USER32(0000000F), ref: 00509B23
SetBkColor.GDI32(?,00000000), ref: 00509B36

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction ID: a05933772db113d86424fc13b61e01a0e961a1ddc41084cc81caf413ea11210a
Opcode Fuzzy Hash: 77c3f0da21d947b32eb7fdcb0132281faf73f662c650e8f40d4e0c5a136efba6
Instruction Fuzzy Hash: 8EA1F870209848AEE728AA2C8C9DEBF3E9DFBCA354F150509F502D65DBCB259D01D376

Function 00571806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0057185D
WSAGetLastError.WSOCK32 ref: 00571884
bind.WSOCK32(00000000,?,00000010), ref: 005718DB
WSAGetLastError.WSOCK32 ref: 005718E6
closesocket.WSOCK32(00000000), ref: 00571915

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction ID: b8f170ca0c9e89e40aeff75c572b1e10bf6cc9aefd933504ab70a79680a0fae7
Opcode Fuzzy Hash: d28d216abf4c507d295aaf79d43bcb78e6ee688d44bec9f2f194e70b2c55d326
Instruction Fuzzy Hash: 3551C471A00204AFDB10AF24D886F3A7BE5AB45718F04C49DFA0A6F3C3C775AD419BA5

Function 00581C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00581CC0
IsWindowEnabled.USER32 ref: 00581CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00581CDB
IsIconic.USER32 ref: 00581CE9
IsZoomed.USER32 ref: 00581CF7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7a5d055d20a913626cbb2628df50088267d7f20284abb5a7d98cd8340263ac23
Instruction ID: fd525d92ac54a05b724b984a5be2cbd3afe6f4dc72e596eb648ced7b88ab387a
Opcode Fuzzy Hash: 7a5d055d20a913626cbb2628df50088267d7f20284abb5a7d98cd8340263ac23
Instruction Fuzzy Hash: 1921B131740A015FD720AF2AC884B2A7FA9FF95314F188068EC46EB351CB71DC42CBA8

Function 004F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004F83E8
VUUU, xrefs: 004F843C
VUUU, xrefs: 004F83FA
ERCP, xrefs: 004F813C
VUUU, xrefs: 00535DF0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction ID: ac936fad0e8b8bf15de6b3cff76a12022a8b914b6615cfc1e76f3f01fe161ac5
Opcode Fuzzy Hash: 1e2c7f89e1180f2c89e92ad5b1c9f51e92e86345f9554e1e33f0b69fe467bd10
Instruction Fuzzy Hash: F5A28C70E0061ECBDF24CF58C9407BEBBB1BB54314F2485AEE915AB285EB349D81CB95

Function 00558298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005582AA

Strings

tb[, xrefs: 005584F4
|, xrefs: 005582DA
(, xrefs: 005582F0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb[$|
API String ID: 1659193697-2831977410
Opcode ID: f47214a40ef58080d0b00058b23fb0283e979668c04fe050d1e849aa03d8d554
Instruction ID: 35cbe7622ff111772426a916dcb47a00c21db72afd178bd125b95788ad4231f2
Opcode Fuzzy Hash: f47214a40ef58080d0b00058b23fb0283e979668c04fe050d1e849aa03d8d554
Instruction Fuzzy Hash: A7322A75A00605DFCB28CF59C49196ABBF0FF48710B15C96EE85AEB7A1DB70E941CB40

Function 0055AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0055AAAC
SetKeyboardState.USER32(00000080), ref: 0055AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0055AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0055AB88

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction ID: f11efe58849c043f9ff2549e3ea12e83e698c198ab66e589a4d1986dc5116fd8
Opcode Fuzzy Hash: 2b6efa61e68f316ac4881997434c16182a34bb66f8bb0e745bd9be57ab8e1eb3
Instruction Fuzzy Hash: 74310930A40248AEFF358A69CC25BFA7FA6BB44322F04431BF981561D1D7758989D7A2

Function 0052BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0052BB7F

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

GetTimeZoneInformation.KERNEL32 ref: 0052BB91
WideCharToMultiByte.KERNEL32(00000000,?,005C121C,000000FF,?,0000003F,?,?), ref: 0052BC09
WideCharToMultiByte.KERNEL32(00000000,?,005C1270,000000FF,?,0000003F,?,?,?,005C121C,000000FF,?,0000003F,?,?), ref: 0052BC36

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ca0f17d58656bb06c726647e50981165adc13bb52cbf31c3bdaea258f7805408
Instruction ID: cdae83bf9bf58070934aef40e19bf30056f32597b97b268fabbf039f394a0e70
Opcode Fuzzy Hash: ca0f17d58656bb06c726647e50981165adc13bb52cbf31c3bdaea258f7805408
Instruction Fuzzy Hash: 9D31AD79904616DFDB10DF6AAC8096DBFB8FF67310B14466AE021E72E2D7309E44DB50

Function 0056CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0056CE89
GetLastError.KERNEL32(?,00000000), ref: 0056CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0056CEFE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction ID: 94441f6e2ad5bce96739c092cc27db213b8da93442dbeb8ea40098b041f27417
Opcode Fuzzy Hash: 964e0d7953fc529c02c0d091e5e06e4399ff7814b0f754a57ab76e714c18cf2e
Instruction Fuzzy Hash: 8821AC716003059BEB219F65C988BAABFFCFB50314F10481EEA86E3151E771EE48DB60

Function 00565C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00565CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00565D17
FindClose.KERNEL32(?), ref: 00565D5F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e1f1cd2108180cbc9fcdf863c292b6f6a9796bccec0b66acd2189d82e24465ad
Instruction ID: 98e208ac6f2a38b922bbf220b28d0aec282bbb63a815fc26a51d20c588108312
Opcode Fuzzy Hash: e1f1cd2108180cbc9fcdf863c292b6f6a9796bccec0b66acd2189d82e24465ad
Instruction Fuzzy Hash: 74518A75604A029FC714DF28C494E9ABBF4FF49314F14855EE99A8B3A2DB30ED44CBA1

Function 00522622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0052271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00522724
UnhandledExceptionFilter.KERNEL32(?), ref: 00522731

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction ID: 125cdfa55fdf15b27a3427c83d977b2fe0c65d7f3bd10716ddb1ea9962d295ee
Opcode Fuzzy Hash: 5f3ac67ac2b16c96ce179e3cf6e504181ac2920374eb19d071f34c50285c3449
Instruction Fuzzy Hash: 6A31C574901229ABCB21DF64D8887DDBBB8BF18310F5051DAE81CA62A0E7709F858F44

Function 005651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00565238
SetErrorMode.KERNEL32(00000000), ref: 005652A1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction ID: 7e37c8c16acd6de7e500b7ec722c9edb433b00313034b074a5b3e69adb1140c5
Opcode Fuzzy Hash: e309d0ea7dfd5c13e8506a15fadc3f6279af5754b39747c3eb305357565383b9
Instruction Fuzzy Hash: 82315075A00518DFDB00DF55D8D4EADBBB4FF48318F048099E905AB392DB35E859CB61

Function 005516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510668
Part of subcall function 0050FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00510685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0055170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0055173A
GetLastError.KERNEL32 ref: 0055174A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c50189416da97c85ff4a2263f61247407f1585d3cc73671b8d50ec472801daa8
Instruction ID: 38c410f6f81f2aa1b49683e34f2d4a5bff4286268f26ea03598439b8eb367895
Opcode Fuzzy Hash: c50189416da97c85ff4a2263f61247407f1585d3cc73671b8d50ec472801daa8
Instruction Fuzzy Hash: 801131B2400305AFD3289F64EC8AE6FBFB9FB44710B20842EE45253281EB30BC458B20

Function 0055D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0055D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0055D650

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction ID: 2d179b7523f86470893b6af9c15fd193750051987ab0fe92abccd16544b5097f
Opcode Fuzzy Hash: 8c67e1cc18d603d35a88a3ba19ba89c4e18345e9b5e9af52980658b288041a7c
Instruction Fuzzy Hash: 3D113C76E05228BBDB208F959C45FAFBFBCEB45B50F108156FD04E7290D6704A059BA1

Function 00551663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0055168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005516A1
FreeSid.ADVAPI32(?), ref: 005516B1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction ID: 727d2a06b86daeb6e9894869cd07f53470f43b996da0c9e1405862433dffa455
Opcode Fuzzy Hash: 8ab25ee6d9d8e3331b2f79199d1ed7624a7957b660d72f7c42a42353895ea2fd
Instruction Fuzzy Hash: E3F04471940308FBDB00CFE09C89EAEBBBCFB08240F104461E900E2180E330AA089B60

Function 0051CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d28e11acbf6a6ba890ff45c684f0cbf64fa0f452e25c032f6bddcc69b4285617
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 8B020B71E402199BDF14CFA9D8806EDBFB5FF88314F254669D819EB280D731AD418B94

Function 004FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#\, xrefs: 004FCF7F
Variable is not of type 'Object'., xrefs: 00540C40

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#\
API String ID: 0-856599282
Opcode ID: 6e225580b3f6c8511306896db72fced0718b63b0a9c0bc5d4e1298151a318fce
Instruction ID: 3d664b15d03af2ef92e4330cd6ad0f41ace81a038a63c644cd840db5610adc31
Opcode Fuzzy Hash: 6e225580b3f6c8511306896db72fced0718b63b0a9c0bc5d4e1298151a318fce
Instruction Fuzzy Hash: C1328E7090021DDBCF14DF90CA85AFDBBB5FF04308F24405AEA06AB291D779AD46DB65

Function 005668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00566918
FindClose.KERNEL32(00000000), ref: 00566961

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction ID: d04006ffa955d88646f53acea96fad26b4318185fe53f47fdb791e71216f6588
Opcode Fuzzy Hash: b5ba9897e04eca03d5d8c67e5864720aee34e83e5e7e71bd3463d2900358b59c
Instruction Fuzzy Hash: BB11D0356042059FC710CF2AC484A26BBE4FF84328F04C69DE86A8F6A2C734EC05CBA1

Function 005637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00574891,?,?,00000035,?), ref: 005637F4

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 901cfc459a0619a65df2fe487b254d9ec92966a09c7504fc459039b3f3075614
Instruction ID: 5bdfa9813a393db18d84b447858abe6a9a68c48e9da2f6468916b3cc93045b5e
Opcode Fuzzy Hash: 901cfc459a0619a65df2fe487b254d9ec92966a09c7504fc459039b3f3075614
Instruction Fuzzy Hash: 4CF0E5B06042292AE72057769C4DFEB3FAEEFC4761F000165F509E3281DA709E08C7B0

Function 0055B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0055B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0055B270

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction ID: 50f38cbf51f235315015f8e156a5564a5b6091a781f32c4676aad6c3ec31151d
Opcode Fuzzy Hash: bcc8506a8a4ccb3dc3f26727125661cd1c5ef227069a129c513e0596c7113bed
Instruction Fuzzy Hash: 19F01D7580424DABEF059FA0C805BAE7FB4FF04305F00940AFD55A5191C77986159FA4

Function 005510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005511FC), ref: 005510D4
CloseHandle.KERNEL32(?,?,005511FC), ref: 005510E9

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c89ca368bfd33bebc7c5dc8b008b8551c7212a2c24210d7199fe79d2e3b31f6d
Instruction ID: 55fca517204bcf1f3de473feca441caba76fec49d35610c263f1837d4a4d4afa
Opcode Fuzzy Hash: c89ca368bfd33bebc7c5dc8b008b8551c7212a2c24210d7199fe79d2e3b31f6d
Instruction Fuzzy Hash: 5DE04F32004601EFE7252B61FC09E777FA9FB04310B24882EF8A5804F1DB72AC90EB64

Function 0052676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00526766,?,?,00000008,?,?,0052FEFE,00000000), ref: 00526998

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction ID: 5e9b2390d32cc2002737ff259914b2f4fdd46ecefee6b4216d1c47e29c98a005
Opcode Fuzzy Hash: 5735c6b8d07b6dc01538a03640ff1eb5a94e6f746db688e65fa4fc5607ad1419
Instruction Fuzzy Hash: 6FB126326106189FD719CF28D48AB657FE0FF46364F298658E899CB2E2C735E981CB40

Function 0050B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0054851F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction ID: 7810d02313d0877da75020a16ce36474b6257511fc46d7705d388408585b7a72
Opcode Fuzzy Hash: fb3ec338bd9b58d09fe2003b3b097d9243b8fa7a911041642adf778958b8b957
Instruction Fuzzy Hash: 7F124F759002299BDF24CF58C8806FEBBF5FF48714F14859AE849EB295DB349E81CB90

Function 0056EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0056EABD

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction ID: 1df2e6c93890ce5c2c3f000b5c768f8e59c853b898c8a57e9afcb58b9e0010da
Opcode Fuzzy Hash: 95ac85ba448378a2fc3bcf5329e4bdf3d51fcbf8c6c5303ac0cfaedc685ce9ae
Instruction Fuzzy Hash: CCE048352002049FC710DF9AD445D5AFBD9FF59764F00841AFD45D7351D774E8408BA1

Function 005109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005103EE), ref: 005109DA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction ID: 306917d2c7110a2784015172e7b02c8ce4bf165e56e6fea7fd828cf5a91b763e
Opcode Fuzzy Hash: 106a2db3b86a3cf661ecdbee02ab460a9eb2dd11395c310717ebe81f5c1cb449
Instruction Fuzzy Hash:

Function 0051781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0051798B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 086e08a61e4b734b7ddf22edbc55a9a81b4bd125a9a8e96bd5a0e2bcef22e142
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6751686160C60E7BFB38552C885D7FE2FB9BB5E340F180909E882D7282C615DECAD356

Function 00562046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&\, xrefs: 00562053

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: 0&\
API String ID: 0-2049548921
Opcode ID: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction ID: a80ca7d95e4c498576f3a3afff1382395d4e7093bac71858b085d65ea63e959c
Opcode Fuzzy Hash: 50e7a0dc6b188c77bd6cf3dbf9a064542e235aed4876f65ffbf7b66307dda6c5
Instruction Fuzzy Hash: 7A21D8322209158BD728CF79C81767A77E5B764320F14862EE4A7C33D0DE35A944D750

Function 00526DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction ID: c24fe40d2ef066d89852fc5342de15b3f80cecda8de7b0818145755a714afa4f
Opcode Fuzzy Hash: f6fceacffc98bd44506886070a8b3e3812551ab4eae7fd5e0390d91affe98c49
Instruction Fuzzy Hash: 99324531D29F154ED7239634D862335AA8CBFBB3C5F15C737E81AB59A6EB28C4835140

Function 0050CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction ID: 7c0fa8a816b4cef4998cb3d260f7980fed130c66be24be43f202af6daf81673a
Opcode Fuzzy Hash: 86ee2720cb9d1c3b8caf3bd3f366d662a3e7e6b045d97cd9a2c7ad2bb41e3f99
Instruction Fuzzy Hash: 04321531A011558BDF68CF29C4D46FD7FA1FBC6308F29866AD46A9B6D2D230DD81DB40

Function 004F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7d4897aa780e6e7701b9694dc9cbb44c8066a3959c44e172cdac8ea842c08b
Instruction ID: 5e8ec002c85887839be9a644e5f343fea2dd7cbb36618b0e50ad0e58eb10d5e5
Opcode Fuzzy Hash: 8e7d4897aa780e6e7701b9694dc9cbb44c8066a3959c44e172cdac8ea842c08b
Instruction Fuzzy Hash: 6822D3B0A0060ADFDF14CF65C841ABEBBF6FF44304F10462AE816A7291EB39AD55CB55

Function 004F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d640ba15f7505f2ca47da923bfc1f85dfb8e4a303a416b7080960b37b95abdc
Instruction ID: 3cec12e546cd06e830e659d8162d3a7eaa08ff90066870eb0a12f69d98e21e4d
Opcode Fuzzy Hash: 1d640ba15f7505f2ca47da923bfc1f85dfb8e4a303a416b7080960b37b95abdc
Instruction Fuzzy Hash: 7302F7B0E0010AEBDF04DF54D886AAEBBF5FF44300F118569E9069B2D1EB35AE51CB95

Function 00529EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945ebb52f888c10c3d06f2e0605a2182d302fa45f4b154dd7a22b3f53a1e1607
Instruction ID: cf012324bc4cbc55fa8bd81b25cc072f36c6d68ea60d27e52a162f7483d4b608
Opcode Fuzzy Hash: 945ebb52f888c10c3d06f2e0605a2182d302fa45f4b154dd7a22b3f53a1e1607
Instruction Fuzzy Hash: EDB13420D2AF508DD32396398831336BA4CBFBB6C5F92DB1BFC1674D62EB2185879140

Function 00511C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9c0d328e2d3c23ffa0935ee8ce228ebce553c421d0f0b2e6254ed0164b5e923c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D49189722084A34AFB29467E95740BEFFE17A923A131A0BDDD5F2CA1C1FE14C9D4D624

Function 00511F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: eedee4273e608ca8f15ef2a0e32bb6b8477093d155fccb4eda4755c37dc458e8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B7918A722094E34AF76D823984780BDFFE16A923A171A07DDD5F2CB1C5EE24C9E4D620

Function 005119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a360573c14f9f5609691cfb49f52d29809ea8dd2fe21bd6448a8ffe05aa1b668
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C791767220D8A34AFB2D427A85740BDFFE16A923A171A0BDDD5F2CA1C1FE14C9D4D624

Function 00517A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction ID: 125c189becc9b84b9963ddf37d3ab6187d50b6cc3f5a574eef4ddbe4b5ce3110
Opcode Fuzzy Hash: 8186835c186e524b2de7bef5876e9fed50f5aafe3f71712f2140876f46cc0b13
Instruction Fuzzy Hash: BD61276160C70E56FA34992C8899BFE6FB5FF8D704F240D19E842DB281EB119EC2C355

Function 00517CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eeaf69445b710251af0ec50107b800ef3ddbf7c44f480b4f5909e0b65e16f0
Instruction ID: f73e9e9bf86a45775cebe27063047d0afd926e3852f2dc4fd73be2fe6b29dfcd
Opcode Fuzzy Hash: 56eeaf69445b710251af0ec50107b800ef3ddbf7c44f480b4f5909e0b65e16f0
Instruction Fuzzy Hash: DD61476120C60E56FA385A3C6855BFE2FF8BF8E704F140A59E942DB281DA12ADC28255

Function 00511706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 30a39975a915a35087dbf166de175157a04e1a465eaa1a2155836e99b125ac48
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: B38186326094A309FB6D423E85744BEFFE17A923A131A47DDD5F2CB1C1EE24C994D624

Function 00572ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00572B30
DeleteObject.GDI32(00000000), ref: 00572B43
DestroyWindow.USER32 ref: 00572B52
GetDesktopWindow.USER32 ref: 00572B6D
GetWindowRect.USER32(00000000), ref: 00572B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00572CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00572CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572CF8
GetClientRect.USER32(00000000,?), ref: 00572D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00572D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D80
GlobalLock.KERNEL32(00000000), ref: 00572D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572D98
GlobalUnlock.KERNEL32(00000000), ref: 00572DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DA8
GlobalFree.KERNEL32(00000000), ref: 00572DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0058FC38,00000000), ref: 00572DDB
GlobalFree.KERNEL32(00000000), ref: 00572DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00572E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00572E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00572E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0057303F

Strings

DISPLAY, xrefs: 00572EA2
static, xrefs: 00572D3A, 00572E91
AutoIt v3, xrefs: 00572CF2
, xrefs: 00572FC5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction ID: bbfe4691f67fae53626a7bcbc6aa04da8d6b7563fb061073c1092ef81b999eb9
Opcode Fuzzy Hash: 725c5e7fb5d8c8846d38c545ff46ba9a3112a0ab2061161f09de8a0c6730631b
Instruction Fuzzy Hash: 42028971900208AFDB14DF64DC89EAE7FB9FB49714F008519F919AB2A1DB74ED04DB60

Function 005870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0058712F
GetSysColorBrush.USER32(0000000F), ref: 00587160
GetSysColor.USER32(0000000F), ref: 0058716C
SetBkColor.GDI32(?,000000FF), ref: 00587186
SelectObject.GDI32(?,?), ref: 00587195
InflateRect.USER32(?,000000FF,000000FF), ref: 005871C0
GetSysColor.USER32(00000010), ref: 005871C8
CreateSolidBrush.GDI32(00000000), ref: 005871CF
FrameRect.USER32(?,?,00000000), ref: 005871DE
DeleteObject.GDI32(00000000), ref: 005871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00587230
FillRect.USER32(?,?,?), ref: 00587262
GetWindowLongW.USER32(?,000000F0), ref: 00587284

Part of subcall function 005873E8: GetSysColor.USER32(00000012), ref: 00587421
Part of subcall function 005873E8: SetTextColor.GDI32(?,?), ref: 00587425
Part of subcall function 005873E8: GetSysColorBrush.USER32(0000000F), ref: 0058743B
Part of subcall function 005873E8: GetSysColor.USER32(0000000F), ref: 00587446
Part of subcall function 005873E8: GetSysColor.USER32(00000011), ref: 00587463
Part of subcall function 005873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
Part of subcall function 005873E8: SelectObject.GDI32(?,00000000), ref: 00587482
Part of subcall function 005873E8: SetBkColor.GDI32(?,00000000), ref: 0058748B
Part of subcall function 005873E8: SelectObject.GDI32(?,?), ref: 00587498
Part of subcall function 005873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
Part of subcall function 005873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
Part of subcall function 005873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6522072fae37441a09033a5a95ca57918b86f872034a0a089b073f281e0057e6
Instruction ID: 1494d040624d8fd7d4d17102c9ffa35ea2dc20279e087291377b247b6adce027
Opcode Fuzzy Hash: 6522072fae37441a09033a5a95ca57918b86f872034a0a089b073f281e0057e6
Instruction Fuzzy Hash: 58A1A172008305AFDB00AF64DC48E5B7FA9FF99320F201A19FD62A61E1D731E948DB61

Function 00508D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00508E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00546AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00546AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00546F43

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

SendMessageW.USER32(?,00001053), ref: 00546F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00546F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00546FB7

Strings

0, xrefs: 00546DCF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction ID: 59e643af14b9b19bb9fa590f839974e9668460f12cd6cdaa446591eba5309df9
Opcode Fuzzy Hash: 2990dc3628944cd732639bc4e6ec3951574d36625858f432fbb2bac03365af6b
Instruction Fuzzy Hash: D7129B30600601EFDB25CF14C888FBABFE9FB56304F184469E5859B2A2CB31EC55EB52

Function 00572711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0057273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0057286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00572900
GetClientRect.USER32(00000000,?), ref: 0057290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00572955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00572964
GetStockObject.GDI32(00000011), ref: 00572974
SelectObject.GDI32(00000000,00000000), ref: 00572978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00572988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00572991
DeleteDC.GDI32(00000000), ref: 0057299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00572A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00572A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00572A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00572A77
GetStockObject.GDI32(00000011), ref: 00572A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00572A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00572A97

Strings

DISPLAY, xrefs: 0057295A
static, xrefs: 0057294F, 00572A71
msctls_progress32, xrefs: 00572A13
AutoIt v3, xrefs: 005728F8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction ID: c96318fbd0913d8fa37d4068fc28239dcc34f8655c0a166698e7b3553500aad0
Opcode Fuzzy Hash: bccc4ccaabc2d908c4cf877bfba649baf06854a3009f480614dd3f36e4a7d6b8
Instruction Fuzzy Hash: 53B1AB71A00609AFEB14CF68DC89EAE7BB9FB08714F008519FA14E7291D774ED04DBA4

Function 00564ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564AED
GetDriveTypeW.KERNEL32(?,0058CB68,?,\\.\,0058CC08), ref: 00564BCA
SetErrorMode.KERNEL32(00000000,0058CB68,?,\\.\,0058CC08), ref: 00564D36

Strings

ATA, xrefs: 00564C98
Virtual, xrefs: 00564CE5
SSA, xrefs: 00564CA6
SSD, xrefs: 00564C4A
MMC, xrefs: 00564CDE
\\.\, xrefs: 00564B3F
SAS, xrefs: 00564CC9
FileBackedVirtual, xrefs: 00564CEC
Fibre, xrefs: 00564CAD
Removable, xrefs: 00564C10, 00564C15
Network, xrefs: 00564C02
RAID, xrefs: 00564CBB
SATA, xrefs: 00564CD0
CDROM, xrefs: 00564BFB
iSCSI, xrefs: 00564CC2
Fixed, xrefs: 00564C09
Unknown, xrefs: 00564BED, 00564C83
RAMDisk, xrefs: 00564BF4
1394, xrefs: 00564C9F
ATAPI, xrefs: 00564C91
PhysicalDrive, xrefs: 00564B76
USB, xrefs: 00564CB4
SCSI, xrefs: 00564C8A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab83aea665890af6b409d5ed8bbf296eaa298125b09a75fb52a0580061f7fd5b
Instruction ID: abdd9e493615c8b156ab474982c61aa77b225ac8f769d5e59f4e09800ef7c190
Opcode Fuzzy Hash: ab83aea665890af6b409d5ed8bbf296eaa298125b09a75fb52a0580061f7fd5b
Instruction Fuzzy Hash: 9561BF7170520A9FDB14DF28CA829B97FB0BF44344B24881AF806AB791DB3AED41DF51

Function 005873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00587421
SetTextColor.GDI32(?,?), ref: 00587425
GetSysColorBrush.USER32(0000000F), ref: 0058743B
GetSysColor.USER32(0000000F), ref: 00587446
CreateSolidBrush.GDI32(?), ref: 0058744B
GetSysColor.USER32(00000011), ref: 00587463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00587471
SelectObject.GDI32(?,00000000), ref: 00587482
SetBkColor.GDI32(?,00000000), ref: 0058748B
SelectObject.GDI32(?,?), ref: 00587498
InflateRect.USER32(?,000000FF,000000FF), ref: 005874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0058752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00587554
InflateRect.USER32(?,000000FD,000000FD), ref: 00587572
DrawFocusRect.USER32(?,?), ref: 0058757D
GetSysColor.USER32(00000011), ref: 0058758E
SetTextColor.GDI32(?,00000000), ref: 00587596
DrawTextW.USER32(?,005870F5,000000FF,?,00000000), ref: 005875A8
SelectObject.GDI32(?,?), ref: 005875BF
DeleteObject.GDI32(?), ref: 005875CA
SelectObject.GDI32(?,?), ref: 005875D0
DeleteObject.GDI32(?), ref: 005875D5
SetTextColor.GDI32(?,?), ref: 005875DB
SetBkColor.GDI32(?,?), ref: 005875E5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e2fe7402149a50835ef8b474e2998c17c8b8137dd7c1e9e80d816ab1412d0cb1
Instruction ID: b635b8c66577df2e196505c068f638275697f09e310577eb4aff8e614c734e25
Opcode Fuzzy Hash: e2fe7402149a50835ef8b474e2998c17c8b8137dd7c1e9e80d816ab1412d0cb1
Instruction Fuzzy Hash: A0615D72900218AFDF01AFA4DC49EAE7FB9FB08320F215515FD15BB2A1D7749940DBA0

Function 00580FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00581128
GetDesktopWindow.USER32 ref: 0058113D
GetWindowRect.USER32(00000000), ref: 00581144
GetWindowLongW.USER32(?,000000F0), ref: 00581199
DestroyWindow.USER32(?), ref: 005811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0058120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0058121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00581232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00581245
IsWindowVisible.USER32(00000000), ref: 005812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005812D0
GetWindowRect.USER32(00000000,?), ref: 005812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0058130E
GetMonitorInfoW.USER32(00000000,?), ref: 00581328
CopyRect.USER32(?,?), ref: 0058133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005813AA

Strings

(, xrefs: 0058131B
0, xrefs: 005810D3
tooltips_class32, xrefs: 005811E6

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction ID: f4507934843dcfdd9400fe17f2d55cae5e0ccc6125893996c40aeae0caf64900
Opcode Fuzzy Hash: 58c2ab1fc626194ab36d0b04000afd8c8a1df2da4e4b80165153ad61eed0dfdb
Instruction Fuzzy Hash: E7B18F71604741AFD700DF65C888B6ABFE8FF84354F00891DF99AAB261DB31E845CBA5

Function 00580241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005802E5
_wcslen.LIBCMT ref: 0058031F
_wcslen.LIBCMT ref: 00580389
_wcslen.LIBCMT ref: 005803F1
_wcslen.LIBCMT ref: 00580475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00580504

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 0055223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00552258
Part of subcall function 0055223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0055228A

Strings

GETSUBITEMCOUNT, xrefs: 00580384, 0058039F
GETSELECTEDCOUNT, xrefs: 00580470, 0058048B
VIEWCHANGE, xrefs: 00580675
SELECT, xrefs: 00580548
GETTEXT, xrefs: 005803EC, 00580407
GETSELECTED, xrefs: 005805E1
SELECTCLEAR, xrefs: 0058052D
SELECTINVERT, xrefs: 0058057E
SELECTALL, xrefs: 00580515
GETITEMCOUNT, xrefs: 00580316, 00580337
ISSELECTED, xrefs: 005804DD
FINDITEM, xrefs: 00580627
DESELECT, xrefs: 0058059C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction ID: 7bafc90c196e7423504a117b36408cd9710611ddd8b73524445f07f8c1ead7a3
Opcode Fuzzy Hash: 5fd080525d0c3fadb134f19d87d40cebf4b0af2879ea46f561e70a0c22fb0646
Instruction Fuzzy Hash: CEE1BD312082059FCB54EF25C45183ABBE2BFC8358B14596DFC96AB2E1DB34ED49CB91

Function 00508891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00508968
GetSystemMetrics.USER32(00000007), ref: 00508970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0050899B
GetSystemMetrics.USER32(00000008), ref: 005089A3
GetSystemMetrics.USER32(00000004), ref: 005089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00508A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00508A3C
GetClientRect.USER32(00000000,000000FF), ref: 00508A5A
GetStockObject.GDI32(00000011), ref: 00508A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00508A81

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

SetTimer.USER32(00000000,00000000,00000028,005090FC), ref: 00508AA8

Strings

AutoIt v3 GUI, xrefs: 00508A20

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0e3bd22a1f5efaab04ea2ffe4f6bd99f874f00a6e7980f52658f1579c4f9ccec
Instruction ID: 578b379737658c818a38a3891e20c6e24ce9840c99875cfdfc772fb2456fb907
Opcode Fuzzy Hash: 0e3bd22a1f5efaab04ea2ffe4f6bd99f874f00a6e7980f52658f1579c4f9ccec
Instruction Fuzzy Hash: 5CB16871A0020A9FDF14DFA8CC49FAE3FA5FB49314F104629FA15A7290DB74E840DB65

Function 00550D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
Part of subcall function 005510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
Part of subcall function 005510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
Part of subcall function 005510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
Part of subcall function 005510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00550DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00550E29
GetLengthSid.ADVAPI32(?), ref: 00550E40
GetAce.ADVAPI32(?,00000000,?), ref: 00550E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00550E96
GetLengthSid.ADVAPI32(?), ref: 00550EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00550EB5
HeapAlloc.KERNEL32(00000000), ref: 00550EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00550EDD
CopySid.ADVAPI32(00000000), ref: 00550EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00550F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00550F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00550F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F6E
HeapFree.KERNEL32(00000000), ref: 00550F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F7E
HeapFree.KERNEL32(00000000), ref: 00550F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00550F8E
HeapFree.KERNEL32(00000000), ref: 00550F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00550FA1
HeapFree.KERNEL32(00000000), ref: 00550FA8

Part of subcall function 00551193: GetProcessHeap.KERNEL32(00000008,00550BB1,?,00000000,?,00550BB1,?), ref: 005511A1
Part of subcall function 00551193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00550BB1,?), ref: 005511A8
Part of subcall function 00551193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00550BB1,?), ref: 005511B7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction ID: e8b3512bf88941d0e66f2c0694e97605ff2cfbbee53337223d64fe05573d9cef
Opcode Fuzzy Hash: 5b75120dbce42a3f9311cb501d3cfeedefc3d704784644980b58e8985d887d96
Instruction Fuzzy Hash: DC71487290020AEBDB209FA4DC89BAEBFB8BF14342F145116ED19B6191D7319A09CB70

Function 0057C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0058CC08,00000000,?,00000000,?,?), ref: 0057C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0057C5A4
_wcslen.LIBCMT ref: 0057C5F4
_wcslen.LIBCMT ref: 0057C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0057C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0057C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0057C84D
RegCloseKey.ADVAPI32(?), ref: 0057C881
RegCloseKey.ADVAPI32(00000000), ref: 0057C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0057C960

Strings

REG_MULTI_SZ, xrefs: 0057C6F5
REG_SZ, xrefs: 0057C644
REG_BINARY, xrefs: 0057C913
REG_DWORD, xrefs: 0057C804
REG_QWORD, xrefs: 0057C8C3
REG_EXPAND_SZ, xrefs: 0057C5CD

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: da167af0fdf5be68abe8e88f572981a3fe92876544bb087dbcd7e3a0f457e1dc
Instruction ID: 639884e61fdb83abf5ab008975249f0d9fdec3260f4efcfd6322ab869e41607f
Opcode Fuzzy Hash: da167af0fdf5be68abe8e88f572981a3fe92876544bb087dbcd7e3a0f457e1dc
Instruction Fuzzy Hash: 18127831204201AFDB14DF15D885A2ABBE5FF88358F04885DF98A9B3A2DB35FC45DB85

Function 0058091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005809C6
_wcslen.LIBCMT ref: 00580A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00580A54
_wcslen.LIBCMT ref: 00580A8A
_wcslen.LIBCMT ref: 00580B06
_wcslen.LIBCMT ref: 00580B81

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

Part of subcall function 00552BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00552BFA

Strings

UNCHECK, xrefs: 00580D3E
CHECK, xrefs: 00580A85, 00580AA0
GETITEMCOUNT, xrefs: 00580C1E
GETTOTALCOUNT, xrefs: 005809F2, 00580A17
EXISTS, xrefs: 00580B7C, 00580B97
EXPAND, xrefs: 00580BF8
COLLAPSE, xrefs: 00580B01, 00580B1C
SELECT, xrefs: 00580D11
GETTEXT, xrefs: 00580C97
GETSELECTED, xrefs: 00580C4E
ISCHECKED, xrefs: 00580CE1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction ID: d8c13c359d4ea6e2df8c9fad8b33dc3f0fb82d427809855e3bae1af2811dd4d9
Opcode Fuzzy Hash: be35b8f69c470c4394506eff390201a59faf313140a224d5b60e22fd2bfe4142
Instruction Fuzzy Hash: 55E1AA312083029FC754EF25C45196EBBE1BF98358F14995DF896AB3A2DB30ED49CB81

Function 0057C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
_wcslen.LIBCMT ref: 0057C9F1
_wcslen.LIBCMT ref: 0057CA68
_wcslen.LIBCMT ref: 0057CA9E
_wcslen.LIBCMT ref: 0057CAF9
_wcslen.LIBCMT ref: 0057CB2F
_wcslen.LIBCMT ref: 0057CB7F

Strings

HKCC, xrefs: 0057CBAC
HKEY_CLASSES_ROOT, xrefs: 0057CAF3, 0057CAF8
HKEY_LOCAL_MACHINE, xrefs: 0057CA62, 0057CA67
HKEY_CURRENT_USER, xrefs: 0057CBBD
HKCR, xrefs: 0057CB29, 0057CB2E
HKCU, xrefs: 0057CBCE
HKEY_CURRENT_CONFIG, xrefs: 0057CB79, 0057CB7E
HKU, xrefs: 0057CBF0
HKEY_USERS, xrefs: 0057CBDF
HKLM, xrefs: 0057CA98, 0057CA9D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction ID: 795f0919b22fdc69ce3c4e789ffbd221f5bd39084191ee1705772777b873e531
Opcode Fuzzy Hash: 0b4d25b5260cd80bb013cbf4fca16dbf60fbdab22656f487c73623598bfd0972
Instruction Fuzzy Hash: E671173261012B8BCB20DE7CE8415FE3F95BBA4754B65852CF86E97284EA30DD84E390

Function 0058833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058835A
_wcslen.LIBCMT ref: 0058836E
_wcslen.LIBCMT ref: 00588391
_wcslen.LIBCMT ref: 005883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00585BF2), ref: 0058844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00588501
FreeLibrary.KERNEL32(?), ref: 0058850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0058851D
DestroyIcon.USER32(?,?,?,?,?,00585BF2), ref: 0058852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00588549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00588555

Strings

.exe, xrefs: 00588388
.icl, xrefs: 00588368
.dll, xrefs: 005883AB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction ID: 1f83270afc5b31c5a40ea970c767637fbd0355f559ebdd6601eb09f8d93dc174
Opcode Fuzzy Hash: a7d777b8b2838e2c4e84804e4718e2ddfa1b4eeedf77f78294f161f9b845c951
Instruction Fuzzy Hash: 6661D07250020ABAEB14EF64CC85BFE7BA8FF48711F504609FD15E61D1DB74A984DBA0

Function 004F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0053528C
#comments-start, xrefs: 004F785F, 004F78B1
#pragma compile, xrefs: 004F77D3
#notrayicon, xrefs: 004F77E7
', xrefs: 00535169
#ce, xrefs: 004F78ED
#requireadmin, xrefs: 004F77FF
#OnAutoItStartRegister, xrefs: 004F7817
", xrefs: 00535153
#include-once, xrefs: 004F782F
#include, xrefs: 004F7847
Bad directive syntax error, xrefs: 0053519A
#cs, xrefs: 004F7873, 004F78C5
#comments-end, xrefs: 004F78D9
Cannot parse #include, xrefs: 00535279

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 253f9c8d02473528b4fc71115fc684987409eb457be32cbc3ffb573f95ad3ebf
Instruction ID: 5fb17b156f1ea2fbf15d62a2342c937f9929ea4cacd7625c59cd08175db9a0e1
Opcode Fuzzy Hash: 253f9c8d02473528b4fc71115fc684987409eb457be32cbc3ffb573f95ad3ebf
Instruction Fuzzy Hash: D681DB7160460ABBEB21BF60CC46FBF3FA8BF55340F044025FA05AA196EB78D951C7A5

Function 00563E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00563EF8
_wcslen.LIBCMT ref: 00563F03
_wcslen.LIBCMT ref: 00563F5A
_wcslen.LIBCMT ref: 00563F98
GetDriveTypeW.KERNEL32(?), ref: 00563FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0056401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00564087

Strings

open, xrefs: 00563F54, 00563F59
open , xrefs: 00563FE5
type cdaudio alias cd wait, xrefs: 00564001
close, xrefs: 00563EFE, 00563F18
wait, xrefs: 00564044
closed, xrefs: 00563F08, 00563F2D, 00563F46, 00563F7E, 00563F97
set cd door , xrefs: 00564028
close cd wait, xrefs: 00564072

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4324d130f047bb48ae519cf7a6f88d0de859216d3781890ca53f780a17dec631
Instruction ID: 936635a883557cac9de792580a2aabfffb33282c68d91ef7104077e329383435
Opcode Fuzzy Hash: 4324d130f047bb48ae519cf7a6f88d0de859216d3781890ca53f780a17dec631
Instruction Fuzzy Hash: 5F71D2326042169FC310EF25C8818BABBF4FF94768F10492DF99597291EB39ED49CB51

Function 00555A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00555A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00555A40
SetWindowTextW.USER32(?,?), ref: 00555A57
GetDlgItem.USER32(?,000003EA), ref: 00555A6C
SetWindowTextW.USER32(00000000,?), ref: 00555A72
GetDlgItem.USER32(?,000003E9), ref: 00555A82
SetWindowTextW.USER32(00000000,?), ref: 00555A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00555AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00555AC3
GetWindowRect.USER32(?,?), ref: 00555ACC
_wcslen.LIBCMT ref: 00555B33
SetWindowTextW.USER32(?,?), ref: 00555B6F
GetDesktopWindow.USER32 ref: 00555B75
GetWindowRect.USER32(00000000), ref: 00555B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00555BD3
GetClientRect.USER32(?,?), ref: 00555BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00555C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00555C2F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction ID: 7e63453b39afe99209650ed586d64b244511bbe35e1216d81141d27ac7483ece
Opcode Fuzzy Hash: eda6efc24bcae25fd7c42fb223a14bb174c1dfb3f8882587fb523fd6634b1587
Instruction Fuzzy Hash: 6E718031900B059FDB20DFA9CD69A6EBFF5FF48715F100919E942A25A0E774E948CB50

Function 0056FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0056FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0056FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0056FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0056FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0056FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0056FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0056FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0056FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0056FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0056FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0056FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0056FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0056FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0056FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0056FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0056FECC
GetCursorInfo.USER32(?), ref: 0056FEDC
GetLastError.KERNEL32 ref: 0056FF1E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e04b1b4fd236ab0a233b2e8aa6284e51db8aa3ba8cda688c098bc754e6cd6762
Instruction ID: 7c02cd48d2abdf59725d8f42343b773a0573110d4bbb6508b74de753c029fe9e
Opcode Fuzzy Hash: e04b1b4fd236ab0a233b2e8aa6284e51db8aa3ba8cda688c098bc754e6cd6762
Instruction Fuzzy Hash: 104124B0D043196ADB10DFBA9C8585EFFE8FF04754B50452AE51DE7281DB789901CF91

Function 005530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055318D
_wcslen.LIBCMT ref: 005531F8

Strings

[[, xrefs: 0055339A
TEXT, xrefs: 0055347C
REGEXPCLASS, xrefs: 00553255, 00553266
NAME, xrefs: 00553335, 00553346
INSTANCE, xrefs: 00553453
CLASSNN, xrefs: 005531F3, 00553204
CLASS, xrefs: 00553188, 005531A5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[[
API String ID: 176396367-478666498
Opcode ID: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction ID: 47fb182f5804c4f7322fa9917e222d69e47cc30f01803daef69936ed5406e1d8
Opcode Fuzzy Hash: 01efc1ed3869a616485bb058cee99f8f66592596084f38c49efa2cd03c4ccbe1
Instruction Fuzzy Hash: 83E1D732A00516ABCF189F74C4657EDBFB0BF54791F54852BE85AA7240EB30AE8DC790

Function 005100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005100C6

Part of subcall function 005100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005C070C,00000FA0,DA737BC7,?,?,?,?,005323B3,000000FF), ref: 0051011C
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005323B3,000000FF), ref: 00510127
Part of subcall function 005100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005323B3,000000FF), ref: 00510138
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0051014E
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0051015C
Part of subcall function 005100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0051016A
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00510195
Part of subcall function 005100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005101A0

___scrt_fastfail.LIBCMT ref: 005100E7

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

Strings

InitializeConditionVariable, xrefs: 00510148
SleepConditionVariableCS, xrefs: 00510154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00510122
WakeAllConditionVariable, xrefs: 00510162
kernel32.dll, xrefs: 00510133

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction ID: 7214b2f3ff1f4fab3dcfe755b73f254b80200af5b45fa4a09f9cb7c16ef04e9a
Opcode Fuzzy Hash: 414aedcce3681d2d055f38eab5075882a27be3b44decb7248ca2617e2a0b0965
Instruction Fuzzy Hash: 1B212532681711ABF7106BA4AC4DBAA3FD4FB58B50F002129FD01F62D1DAB49884CBA0

Function 005644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0058CC08), ref: 00564527
_wcslen.LIBCMT ref: 0056453B
_wcslen.LIBCMT ref: 00564599
_wcslen.LIBCMT ref: 005645F4
_wcslen.LIBCMT ref: 0056463F
_wcslen.LIBCMT ref: 005646A7

Part of subcall function 0050F9F2: _wcslen.LIBCMT ref: 0050F9FD

GetDriveTypeW.KERNEL32(?,005B6BF0,00000061), ref: 00564743

Strings

ramdisk, xrefs: 005646F1
unknown, xrefs: 00564708
removable, xrefs: 005645EA, 005645EF
fixed, xrefs: 00564635, 0056463A
all, xrefs: 00564531, 00564536
network, xrefs: 0056469D, 005646A2
cdrom, xrefs: 0056458F, 00564594

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4f8cf011032a0db4232f3eb37a5af17ec095562f5e077e1d23bc8fb6ab702638
Instruction ID: c09853269059c1aab425d6054fcba6ec776bec035d12781b7ff83991ee1e53ed
Opcode Fuzzy Hash: 4f8cf011032a0db4232f3eb37a5af17ec095562f5e077e1d23bc8fb6ab702638
Instruction Fuzzy Hash: 31B1CC716083029FC720EF28C890A7ABBE5BFA5764F504A1DF596C7291E734D845CFA2

Function 0058911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

DragQueryPoint.SHELL32(?,?), ref: 00589147

Part of subcall function 00587674: ClientToScreen.USER32(?,?), ref: 0058769A
Part of subcall function 00587674: GetWindowRect.USER32(?,?), ref: 00587710
Part of subcall function 00587674: PtInRect.USER32(?,?,00588B89), ref: 00587720

SendMessageW.USER32(?,000000B0,?,?), ref: 005891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00589225
SendMessageW.USER32(?,000000B0,?,?), ref: 0058923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00589255
SendMessageW.USER32(?,000000B1,?,?), ref: 00589277
DragFinish.SHELL32(?), ref: 0058927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00589371

Strings

@GUI_DRAGID, xrefs: 005892E9
@GUI_DRAGFILE, xrefs: 00589320
@GUI_DROPID, xrefs: 0058929E
p#\, xrefs: 005892BB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#\
API String ID: 221274066-311701890
Opcode ID: cbfff0eb22217967d0bd1c6a6411eb6f8ab6a7e4bf9355463f89d41371e72178
Instruction ID: 297453613279c14f9231f8ff90aaf2085a0e764671f7e19a8d7098adc6e80274
Opcode Fuzzy Hash: cbfff0eb22217967d0bd1c6a6411eb6f8ab6a7e4bf9355463f89d41371e72178
Instruction Fuzzy Hash: D0617A71108305AFC701EF55DC85DABBFE8FF99350F00092EF996A61A1DB309A49CB66

Function 00573FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0058CC08), ref: 005740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0058CC08), ref: 005740F2
FreeLibrary.KERNEL32(00000000,?,0058CC08), ref: 0057413E
StringFromGUID2.OLE32(?,?,00000028,?,0058CC08), ref: 005741A8
SysFreeString.OLEAUT32(00000009), ref: 00574262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005742C8
SysFreeString.OLEAUT32(?), ref: 005742F2

Strings

kernel32.dll, xrefs: 005740B6
GetModuleHandleExW, xrefs: 005740C7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 407cb1b4cbe62c6fa125b22cac7cfd47ebba0d92a2f1ef3ebeb9465cd1b8f34b
Instruction ID: 45068e7fdeeffbb6213fb79bae7fe61cc4bef75389d60f1754c95f1436c13851
Opcode Fuzzy Hash: 407cb1b4cbe62c6fa125b22cac7cfd47ebba0d92a2f1ef3ebeb9465cd1b8f34b
Instruction Fuzzy Hash: 84125A75A00119AFDB14CF54D888EAEBBB6FF45304F24C098E909AB251D731ED46DFA0

Function 004F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005C1990), ref: 00532F8D
GetMenuItemCount.USER32(005C1990), ref: 0053303D
GetCursorPos.USER32(?), ref: 00533081
SetForegroundWindow.USER32(00000000), ref: 0053308A
TrackPopupMenuEx.USER32(005C1990,00000000,?,00000000,00000000,00000000), ref: 0053309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005330A9

Strings

0, xrefs: 004F327D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f98d089d8e8e7183a768ec4b69100aa5884d97f45e5c9fac49a2abacce62eebc
Instruction ID: b12becd10b0b385cb7d5e09a723501daac3185b65fe4ee1a10376ad2bba81fd7
Opcode Fuzzy Hash: f98d089d8e8e7183a768ec4b69100aa5884d97f45e5c9fac49a2abacce62eebc
Instruction Fuzzy Hash: 8A714A3064060ABEFB259F64CC4EFAABF64FF01764F204216FA246A1E1C7B1AD14DB55

Function 00586CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00586DEB

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00586E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00586E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586E94
DestroyWindow.USER32(?), ref: 00586EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 00586EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00586EFD
GetDesktopWindow.USER32 ref: 00586F16
GetWindowRect.USER32(00000000), ref: 00586F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00586F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00586F4D

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

Strings

tooltips_class32, xrefs: 00586E58, 00586EDD
0, xrefs: 00586D98

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction ID: 7236fe08f8c3aadb0d14d2ead1541dbf4381203ef2b27af449fac9b832141a5f
Opcode Fuzzy Hash: 119b6afcc6228670b333aaa1f23fc6b7b9e93060f678e4bd8ae864c1e130f508
Instruction Fuzzy Hash: AE715974104244AFDB21DF28D888EAABFE9FB99304F04041DFA99A7261D770E909DB25

Function 0056C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0056C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0056C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0056C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0056C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0056C5F0
InternetCloseHandle.WININET(00000000), ref: 0056C5FB

Strings

, xrefs: 0056C575

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction ID: 06760862d64b5be3f34b452edf4b5075c09744051fbd157966bebb87d6ca59ab
Opcode Fuzzy Hash: 02c76b4243156f32f76f20962d24ed12fd52bb2350450b23a0fe2889b91a0a6c
Instruction Fuzzy Hash: 2B513CB1600209BFDB219F64CD48ABB7FBCFB28755F00441AF986D7650DB34E948AB60

Function 0058856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00588592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885BA
GlobalLock.KERNEL32(00000000), ref: 005885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885D7
GlobalUnlock.KERNEL32(00000000), ref: 005885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0058FC38,?), ref: 00588611
GlobalFree.KERNEL32(00000000), ref: 00588621
GetObjectW.GDI32(?,00000018,?), ref: 00588641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00588671
DeleteObject.GDI32(?), ref: 00588699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005886AF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction ID: 68adf4142fe9f92b6e1e9d87d4f5323a21c1f3068f0e669af7142356b47ae068
Opcode Fuzzy Hash: 9fd8ff8c7bf44ed0a538fe9366ad1a7498e477fa2d3aa7fbbe252deda6b96001
Instruction Fuzzy Hash: 4E41E875600204AFDB119FA5DC88EAA7FB9FF99B11F144058FD46E72A0DB309905DB60

Function 005614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00561502
VariantCopy.OLEAUT32(?,?), ref: 0056150B
VariantClear.OLEAUT32(?), ref: 00561517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00561657
VariantInit.OLEAUT32(?), ref: 00561708
SysFreeString.OLEAUT32(?), ref: 0056178C
VariantClear.OLEAUT32(?), ref: 005617D8
VariantClear.OLEAUT32(?), ref: 005617E7
VariantInit.OLEAUT32(00000000), ref: 00561823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00561625
Default, xrefs: 005616AF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: dc6d9bf3d543d16e4b5b64130410b859e7e0f825e8c5d26af1915aa8c429df79
Instruction ID: 44db7ebd282156a283b273b47bdaac8ad1d32900e8adbb28b6783b801ca88e25
Opcode Fuzzy Hash: dc6d9bf3d543d16e4b5b64130410b859e7e0f825e8c5d26af1915aa8c429df79
Instruction Fuzzy Hash: FED1FE72A00A05DBDB109F65E888B7DFFB5BF84700F18845AE807AB590EB34EC44DB65

Function 0057B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0057B80A
RegCloseKey.ADVAPI32(?), ref: 0057B87E
RegCloseKey.ADVAPI32(?), ref: 0057B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0057B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0057B922
FreeLibrary.KERNEL32(00000000), ref: 0057B983
RegCloseKey.ADVAPI32(00000000), ref: 0057B994

Strings

RegDeleteKeyExW, xrefs: 0057B8FE
advapi32.dll, xrefs: 0057B8ED

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 37cf996252fc61956de7b2125b2e618f1f15151756300b516bfb35637ae3d06d
Instruction ID: 9030c368a54c1078397885558127f1706d480ca8cf502026b100f8d20d3cc0ea
Opcode Fuzzy Hash: 37cf996252fc61956de7b2125b2e618f1f15151756300b516bfb35637ae3d06d
Instruction Fuzzy Hash: F8C17B30204201AFE714DF15D494F2ABBE5FF84308F14C55DE5AA8B2A2CB75ED45DB92

Function 0057255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005725E8
CreateCompatibleDC.GDI32(?), ref: 005725F4
SelectObject.GDI32(00000000,?), ref: 00572601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0057266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005726D0
SelectObject.GDI32(?,?), ref: 005726D8
DeleteObject.GDI32(?), ref: 005726E1
DeleteDC.GDI32(?), ref: 005726E8
ReleaseDC.USER32(00000000,?), ref: 005726F3

Strings

(, xrefs: 0057268D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a4222e8e1e5b251e270db1ee13e082d1f7adc7f3f6c9fe644db4b78805399965
Instruction ID: d364579aef1b5c130a4d34de4023364ab397ff41a5710573fea2c5fc1839e8ff
Opcode Fuzzy Hash: a4222e8e1e5b251e270db1ee13e082d1f7adc7f3f6c9fe644db4b78805399965
Instruction Fuzzy Hash: E061D475D00219EFCF14CFA4D888AAEBFB5FF58310F20852AE95AA7250D770A951DF60

Function 0052DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0052DAA1

Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D659
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D66B
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D67D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D68F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6A1
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6B3
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6C5
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6D7
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6E9
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D6FB
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D70D
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D71F
Part of subcall function 0052D63C: _free.LIBCMT ref: 0052D731

_free.LIBCMT ref: 0052DA96

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052DAB8
_free.LIBCMT ref: 0052DACD
_free.LIBCMT ref: 0052DAD8
_free.LIBCMT ref: 0052DAFA
_free.LIBCMT ref: 0052DB0D
_free.LIBCMT ref: 0052DB1B
_free.LIBCMT ref: 0052DB26
_free.LIBCMT ref: 0052DB5E
_free.LIBCMT ref: 0052DB65
_free.LIBCMT ref: 0052DB82
_free.LIBCMT ref: 0052DB9A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction ID: 3132f7810d2adfdbb71ac163df3cf532937ff3990c1d180e35d374a8add94623
Opcode Fuzzy Hash: 5d8db694c829cea385bf48e601999551412684d65b4a7c6f82976c184f53439f
Instruction Fuzzy Hash: B9315736604626AFEB21AB38F849B5ABFF9FF46310F554429E449D71D1DB31AC808B30

Function 0055365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0055369C
_wcslen.LIBCMT ref: 005536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00553797
GetClassNameW.USER32(?,?,00000400), ref: 0055380C
GetDlgCtrlID.USER32(?), ref: 0055385D
GetWindowRect.USER32(?,?), ref: 00553882
GetParent.USER32(?), ref: 005538A0
ScreenToClient.USER32(00000000), ref: 005538A7
GetClassNameW.USER32(?,?,00000100), ref: 00553921
GetWindowTextW.USER32(?,?,00000400), ref: 0055395D

Strings

%s%u, xrefs: 00553734

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 41fa51c99d691c560267f6bbe8801660c910f0cfcbe28a76a21e4bd020c98f0d
Instruction ID: 6ff3d5cd118a260b5ee239ab7c689a11c2ca745aaf26a73489b1ec68766293ea
Opcode Fuzzy Hash: 41fa51c99d691c560267f6bbe8801660c910f0cfcbe28a76a21e4bd020c98f0d
Instruction Fuzzy Hash: 0791B4B1204606AFD719DF24C8A5BAAFBA8FF44391F00452AFD99D2150DB30EA5DCB91

Function 00554954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00554994
GetWindowTextW.USER32(?,?,00000400), ref: 005549DA
_wcslen.LIBCMT ref: 005549EB
CharUpperBuffW.USER32(?,00000000), ref: 005549F7
_wcsstr.LIBVCRUNTIME ref: 00554A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00554A64
GetWindowTextW.USER32(?,?,00000400), ref: 00554A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00554AE6
GetClassNameW.USER32(?,?,00000400), ref: 00554B20
GetWindowRect.USER32(?,?), ref: 00554B8B

Strings

ThumbnailClass, xrefs: 00554A6F, 00554AF1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 362f04851c6eee32384bdf440b27cc0441ce891ffac0c9a5a966fd2586eca813
Instruction ID: b97bca61f882e052335a64c02c4cc0eeff8719c9b146d59b81370af5b7d5bdeb
Opcode Fuzzy Hash: 362f04851c6eee32384bdf440b27cc0441ce891ffac0c9a5a966fd2586eca813
Instruction Fuzzy Hash: 9F91AD310042069FDF04DF14C995BAA7BE9FF84359F04846AFD859A096EB34ED89CFA1

Function 00588D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00588D5A
GetFocus.USER32 ref: 00588D6A
GetDlgCtrlID.USER32(00000000), ref: 00588D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00588E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00588ECF
GetMenuItemCount.USER32(?), ref: 00588EEC
GetMenuItemID.USER32(?,00000000), ref: 00588EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00588F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00588F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00588FA1

Strings

0, xrefs: 00588E9F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d4ce3508cbf9a9e04c84336d19d217024f62c416bc48eb0e31d9661203ab5b03
Instruction ID: 158a9e8ad7234043043faf66f900405ee645ea896051b8eed848a4868b4c723f
Opcode Fuzzy Hash: d4ce3508cbf9a9e04c84336d19d217024f62c416bc48eb0e31d9661203ab5b03
Instruction Fuzzy Hash: 5F81AD715083029FDB20EF24D884ABB7FE9FB98314F540929FE84A7291DB70D905DBA1

Function 0055BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005C1990,000000FF,00000000,00000030), ref: 0055BFAC
SetMenuItemInfoW.USER32(005C1990,00000004,00000000,00000030), ref: 0055BFE1
Sleep.KERNEL32(000001F4), ref: 0055BFF3
GetMenuItemCount.USER32(?), ref: 0055C039
GetMenuItemID.USER32(?,00000000), ref: 0055C056
GetMenuItemID.USER32(?,-00000001), ref: 0055C082
GetMenuItemID.USER32(?,?), ref: 0055C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0055C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055C145

Strings

0, xrefs: 0055BF3D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 04d94ff673f117e28013359653a8822761b9f844185efdc99e5eb44c2e61ac71
Instruction ID: 8cd1badf83f677655dd211a1b41e71db3020a7e9b1314e6ea3e22d80cd233cc4
Opcode Fuzzy Hash: 04d94ff673f117e28013359653a8822761b9f844185efdc99e5eb44c2e61ac71
Instruction Fuzzy Hash: AC617BB090074AAFEF11CF64DD98ABEBFA8FB45346F000456ED11A3292D775AD48DB60

Function 0055DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0055DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0055DC46
_wcslen.LIBCMT ref: 0055DC50
_wcsstr.LIBVCRUNTIME ref: 0055DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0055DCBC

Strings

\VarFileInfo\Translation, xrefs: 0055DCB4
StringFileInfo\, xrefs: 0055DC8F
%u.%u.%u.%u, xrefs: 0055DD9A
04090000, xrefs: 0055DCF2
DefaultLangCodepage, xrefs: 0055DD1F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e075c5d235b61554a0ad0c1c577768e1416368e2dda35ee82f02e70e91993623
Instruction ID: d0e0da0ce07a7831de485e213de961f5b41fd0701b00ddf217ae956c7a362739
Opcode Fuzzy Hash: e075c5d235b61554a0ad0c1c577768e1416368e2dda35ee82f02e70e91993623
Instruction Fuzzy Hash: 084106329402067AEB20A764DC0BEFF7FBCFF95711F14006AFD00A6182EA749A4497B5

Function 0057CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0057CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD48

Part of subcall function 0057CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0057CCAA
Part of subcall function 0057CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0057CCBD
Part of subcall function 0057CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0057CCCF
Part of subcall function 0057CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0057CD05
Part of subcall function 0057CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0057CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0057CCF3

Strings

RegDeleteKeyExW, xrefs: 0057CCC9
advapi32.dll, xrefs: 0057CCB8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction ID: 507885beb4fe42b34e85c5d699a78db9ef6602e662d8099f944d5f4acbd9e3d4
Opcode Fuzzy Hash: c75d231ecef21b275fb3c4d87f07f7c871bad016307008fca59c819b0a7faf76
Instruction Fuzzy Hash: A9316971901129BBDB219B50EC88EEFBF7CFF55740F004169A90AE6240DA309E49EBB0

Function 00563D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00563D40
_wcslen.LIBCMT ref: 00563D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00563D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00563DBE
RemoveDirectoryW.KERNEL32(?), ref: 00563DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00563E55
CloseHandle.KERNEL32(00000000), ref: 00563E60
CloseHandle.KERNEL32(00000000), ref: 00563E6B

Strings

\, xrefs: 00563D77
\??\%s, xrefs: 00563D5B
:, xrefs: 00563D82

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 0894231b8f33c7628c1d1dcd7d58be5f84d2dac3c8e1582c7829fc24a29c63f5
Instruction ID: c93d91a8301436d6f7e373b88c48cbb40d9e512784aa6e69aefc228f595bcffd
Opcode Fuzzy Hash: 0894231b8f33c7628c1d1dcd7d58be5f84d2dac3c8e1582c7829fc24a29c63f5
Instruction Fuzzy Hash: 8331737590010A6BDB219BA0DC49FEF7BBCFF89740F1041A5F915E6090EB7497449B34

Function 0055E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0055E6B4

Part of subcall function 0050E551: timeGetTime.WINMM(?,?,0055E6D4), ref: 0050E555

Sleep.KERNEL32(0000000A), ref: 0055E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0055E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0055E727
SetActiveWindow.USER32 ref: 0055E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0055E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0055E773
Sleep.KERNEL32(000000FA), ref: 0055E77E
IsWindow.USER32 ref: 0055E78A
EndDialog.USER32(00000000), ref: 0055E79B

Strings

BUTTON, xrefs: 0055E719

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction ID: 07f21285ec178ea6456d70ebf8ce4f11ced276430ec699f4afe879cf49f6ea3e
Opcode Fuzzy Hash: 75b5fe7c5683050fcb8c64ccc3d0aaa761cd527a575d0f7ae8713213ae9e7d41
Instruction Fuzzy Hash: 97217F70200641AFEB045B21EC9AE253E69FB6578AF101426FC55915A1DF71AD4CBB34

Function 0055E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0055EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0055EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0055EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0055EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0055EAA7

Strings

open , xrefs: 0055EA0C
play PlayMe, xrefs: 0055EAA2
alias PlayMe, xrefs: 0055EA36
status PlayMe mode, xrefs: 0055EA58
play PlayMe wait, xrefs: 0055EA91
close PlayMe, xrefs: 0055EA6E, 0055EA9B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d6707a75a984902bca7762be9904e715608b64ca5abeb4b05b9583bb5014c39e
Instruction ID: a37e4975e6df8b2a116412817c23db11f883e0a14b1e40779f0a605f60434cdf
Opcode Fuzzy Hash: d6707a75a984902bca7762be9904e715608b64ca5abeb4b05b9583bb5014c39e
Instruction Fuzzy Hash: 68114F31A5026979D724A7B2DC5AEFF6EBCFBD1B44F00042AB911A20D1EEB41A49C5B0

Function 00559F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0055A012
SetKeyboardState.USER32(?), ref: 0055A07D
GetAsyncKeyState.USER32(000000A0), ref: 0055A09D
GetKeyState.USER32(000000A0), ref: 0055A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0055A0E3
GetKeyState.USER32(000000A1), ref: 0055A0F4
GetAsyncKeyState.USER32(00000011), ref: 0055A120
GetKeyState.USER32(00000011), ref: 0055A12E
GetAsyncKeyState.USER32(00000012), ref: 0055A157
GetKeyState.USER32(00000012), ref: 0055A165
GetAsyncKeyState.USER32(0000005B), ref: 0055A18E
GetKeyState.USER32(0000005B), ref: 0055A19C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2633228f48a7d911fc072527fd30f374b062a5fdb09b9e229f5dcd696a1e928e
Instruction ID: 5a507947505589e72ab59490d7f09ac73039c757a2baf9329730049cf526aab6
Opcode Fuzzy Hash: 2633228f48a7d911fc072527fd30f374b062a5fdb09b9e229f5dcd696a1e928e
Instruction Fuzzy Hash: 7051D93490478869FB35DB7088357EAAFB5AF12381F08469BDDC2571C2DB64AA4CC762

Function 00555CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00555CE2
GetWindowRect.USER32(00000000,?), ref: 00555CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00555D59
GetDlgItem.USER32(?,00000002), ref: 00555D69
GetWindowRect.USER32(00000000,?), ref: 00555D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00555DCF
GetDlgItem.USER32(?,000003E9), ref: 00555DDD
GetWindowRect.USER32(00000000,?), ref: 00555DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00555E31
GetDlgItem.USER32(?,000003EA), ref: 00555E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00555E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00555E67

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 34d04da8f13b62f3db7c0d03a067468c479a7dad1eed6fe2e7f987f968eb003f
Instruction ID: b64a62d7fe92246abb30c17a8e8adcbefe9f65258d2b3b416616ae9fc615bbfe
Opcode Fuzzy Hash: 34d04da8f13b62f3db7c0d03a067468c479a7dad1eed6fe2e7f987f968eb003f
Instruction Fuzzy Hash: 1B510071B00605AFDB18CF69DD99AAE7BB9FF58301F148129F916E6290E7709E04CB60

Function 00508BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00508F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00508BE8,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508FC5

DestroyWindow.USER32(?), ref: 00508C81
KillTimer.USER32(00000000,?,?,?,?,00508BBA,00000000,?), ref: 00508D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00546973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000,?), ref: 005469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00508BBA,00000000), ref: 005469D4
DeleteObject.GDI32(00000000), ref: 005469E6

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction ID: f1a137b2361a3f8634e2fcbc48d2e27fec38b5b7bc0e2b59394d601ae193091c
Opcode Fuzzy Hash: 453147b05fac14e63d8956c58a96670cb693f4ca90f6932aa3e1438e1cba04af
Instruction Fuzzy Hash: B961CD31002A01DFDB259F14D948F797FF1FB62316F14591CE082AA9A0CB71AC88EF65

Function 00509838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00509944: GetWindowLongW.USER32(?,000000EB), ref: 00509952

GetSysColor.USER32(0000000F), ref: 00509862

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction ID: 849e5d1319a728aebdd5be3e7a7ac250adb55554f0fa0c0972ad1b6476960267
Opcode Fuzzy Hash: c52b2e7df1fea76b5835c81157511b75689bcd9ac9b05b8699f207ee3cd1e19a
Instruction Fuzzy Hash: 5F41BF71104644AFDB205F389C88BBD3FA5BB56330F148655F9A29B2E7D7309C42EB60

Function 00528D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.Q, xrefs: 0052903A, 00528FD0, 00528FF2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: .Q
API String ID: 0-3049930668
Opcode ID: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction ID: 6da3e753f1948f8d6232ba48cb20cf4995b2038a1201c7fded3c6a915562d8dc
Opcode Fuzzy Hash: 96dc7c2d1db751bda353c358a901cd92db1beba800c1833f992888c55c988da1
Instruction Fuzzy Hash: B4C1F479E04269AFDB11DFE8E849BADBFB4BF5A310F044099E415A73D2CB309941CB61

Function 005596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00559717
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559720

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0053F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00559742
LoadStringW.USER32(00000000,?,0053F7F8,00000001), ref: 00559745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00559866

Strings

Line %d (File "%s"):, xrefs: 0055978F
^ ERROR, xrefs: 005597FB
Error: , xrefs: 0055981D
Line %d:, xrefs: 005597A0
%s (%d) : ==> %s: %s %s, xrefs: 0055984A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 43c433c53bb4b13d46c55b43f255f3b7132ffd0fa7430491ea2c7145a44027d9
Instruction ID: f03f92ffad9a2d6f2f674b398bd63f560f224ca3f423971fb2183cf3ea3d9f5b
Opcode Fuzzy Hash: 43c433c53bb4b13d46c55b43f255f3b7132ffd0fa7430491ea2c7145a44027d9
Instruction Fuzzy Hash: 7F414E7280021DAACF04FBA1CD96EFE7B78AF54745F10042AFA0572091EB396F48CB65

Function 005506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00550804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0055082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00550837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0055083C

Strings

\IPC$, xrefs: 00550784
\CLSID, xrefs: 00550724
SOFTWARE\Classes\, xrefs: 0055070E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction ID: b89f2ded6ca2e09304887ac73aa7bfdb65c8e44e04996d91e9cb79030f7090d3
Opcode Fuzzy Hash: 4052af2a181ef8203d98faf10f09ea47f43acac36e9ba5a6cbb93b06630fd1c1
Instruction Fuzzy Hash: F541197181022DABDF15EF95DC95DFDBB78BF04384F04412AE901A31A0EB34AD18CBA0

Function 00583F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0058403B
CreateCompatibleDC.GDI32(00000000), ref: 00584042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00584055
SelectObject.GDI32(00000000,00000000), ref: 0058405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00584068
DeleteDC.GDI32(00000000), ref: 00584072
GetWindowLongW.USER32(?,000000EC), ref: 0058407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00584092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0058409E

Strings

static, xrefs: 00583FD3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b45ad45862f74abe1d10d97b218e8741e19cdea5f8499bc3827a975217282d29
Instruction ID: 53165647b0ecbf038138be7b55abdc84d19d31e8fa6e1e8df75300917c588e5d
Opcode Fuzzy Hash: b45ad45862f74abe1d10d97b218e8741e19cdea5f8499bc3827a975217282d29
Instruction Fuzzy Hash: 04316B32501216ABDF21AFA8DC48FEA3F69FF19724F110211FE15B60A0D775D814EBA4

Function 00573C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00573C5C
CoInitialize.OLE32(00000000), ref: 00573C8A
CoUninitialize.OLE32 ref: 00573C94
_wcslen.LIBCMT ref: 00573D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00573DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00573ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00573F0E
CoGetObject.OLE32(?,00000000,0058FB98,?), ref: 00573F2D
SetErrorMode.KERNEL32(00000000), ref: 00573F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00573FC4
VariantClear.OLEAUT32(?), ref: 00573FD8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d6ef8145e5a39745aa39872aae023a50513b0fd1e7fd72c15f398bf16809ce3e
Instruction ID: c8d6e5a74afe0695ae56108ac887bb82ed4813b881fe312eaa3445f5689b81a8
Opcode Fuzzy Hash: d6ef8145e5a39745aa39872aae023a50513b0fd1e7fd72c15f398bf16809ce3e
Instruction Fuzzy Hash: 61C168716083059FD700DF68D88492BBBE9FF89798F10891DF98A9B250D731EE05EB52

Function 00567A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00567AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00567B8F
SHGetDesktopFolder.SHELL32(?), ref: 00567BA3
CoCreateInstance.OLE32(0058FD08,00000000,00000001,005B6E6C,?), ref: 00567BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00567C74
CoTaskMemFree.OLE32(?,?), ref: 00567CCC
SHBrowseForFolderW.SHELL32(?), ref: 00567D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00567D7A
CoTaskMemFree.OLE32(00000000), ref: 00567D81
CoTaskMemFree.OLE32(00000000), ref: 00567DD6
CoUninitialize.OLE32 ref: 00567DDC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7c00c7c2e7a2c9dc3afe71e46af2fea8dbefe29e9d7ce2998be90fa7275d8dcc
Instruction ID: 5580905e1ad418c0731f0704c5639c55bad287c87dcd94b641da7d33f3dc1623
Opcode Fuzzy Hash: 7c00c7c2e7a2c9dc3afe71e46af2fea8dbefe29e9d7ce2998be90fa7275d8dcc
Instruction Fuzzy Hash: 69C12C75A04109AFDB14DFA4C884DAEBBF9FF48308B148499E919EB361D734EE45CB90

Function 0058541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00585504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00585515
CharNextW.USER32(00000158), ref: 00585544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00585585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0058559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005855AC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction ID: 42745b04112eaceb1a2295a11612348d0051d403b9466b2bbae39519b7a54e72
Opcode Fuzzy Hash: e41c9a12a0f2df1c1f84553764bc2c996838cb50e0c9db0274193560bc1afdbe
Instruction Fuzzy Hash: EF618A30900609ABDF11AFA5CC85AFE7FB9FF09321F104555FD25BA2A0E7748A84DB60

Function 0054FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0054FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0054FB08
VariantInit.OLEAUT32(?), ref: 0054FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0054FB3A
VariantCopy.OLEAUT32(?,?), ref: 0054FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0054FBA1
VariantClear.OLEAUT32(?), ref: 0054FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0054FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBCC
VariantClear.OLEAUT32(?), ref: 0054FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0054FBE9

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction ID: 14ef363ed0d7c7d8392ce246e92bd0a1c8cb8720e3406a8e5070852733e0b5c8
Opcode Fuzzy Hash: d30bfae2090720c6d33ed5f6364942a74664e344f5da4152ac1834491f151cf6
Instruction Fuzzy Hash: 17415F35A002199FCF00DF68D858DEEBFB9FF58349F008069E905A7261DB30A945DBA0

Function 00559C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00559CA1
GetAsyncKeyState.USER32(000000A0), ref: 00559D22
GetKeyState.USER32(000000A0), ref: 00559D3D
GetAsyncKeyState.USER32(000000A1), ref: 00559D57
GetKeyState.USER32(000000A1), ref: 00559D6C
GetAsyncKeyState.USER32(00000011), ref: 00559D84
GetKeyState.USER32(00000011), ref: 00559D96
GetAsyncKeyState.USER32(00000012), ref: 00559DAE
GetKeyState.USER32(00000012), ref: 00559DC0
GetAsyncKeyState.USER32(0000005B), ref: 00559DD8
GetKeyState.USER32(0000005B), ref: 00559DEA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction ID: b131d0a18d2adf2eee566e6cfffe4f82201d46d02aa55d3ea4681ca127e4720a
Opcode Fuzzy Hash: cc5bac603b5b1c48ed66c741de47e60e680be53e9a7d56faba04111d2c374b8f
Instruction Fuzzy Hash: 0B4196345047C9A9FF31966488253B5BEB07F21345F08805BDEC65A5C2EBADADCCC7A2

Function 0057055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005705BC
inet_addr.WSOCK32(?), ref: 0057061C
gethostbyname.WSOCK32(?), ref: 00570628
IcmpCreateFile.IPHLPAPI ref: 00570636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005707B9
WSACleanup.WSOCK32 ref: 005707BF

Strings

Ping, xrefs: 00570676

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c6e78c9f88b53fe6444ea80e4723f73ec02fe839b8504dfee753770641dda129
Instruction ID: c6abc6d48119ac8fcd75b7c1705ba48c759875c691844fefb77987c6fcb9ef0a
Opcode Fuzzy Hash: c6e78c9f88b53fe6444ea80e4723f73ec02fe839b8504dfee753770641dda129
Instruction Fuzzy Hash: C1917835604201EFD324DF15E888B2ABFE0FB84318F14D9A9E4699B6A2C734EC45DF91

Function 00578CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00578CF3

Part of subcall function 00558E54: _wcslen.LIBCMT ref: 00558E77

_wcslen.LIBCMT ref: 00578D4E
_wcslen.LIBCMT ref: 00578D9C
_wcslen.LIBCMT ref: 00578DDC
_wcslen.LIBCMT ref: 00578E6E

Strings

none, xrefs: 00578E65, 00578E6A
cdecl, xrefs: 00578D48, 00578D4D
winapi, xrefs: 00578D96, 00578D9B
stdcall, xrefs: 00578DD6, 00578DDB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction ID: ed6bd85abf77e9c0e31a6fdc358977a95cfa3f2dbe234a835ca559eeeabe48a2
Opcode Fuzzy Hash: a9429416473a91c52f00b81e539bf3149808cba801a1a074082f90ebf3bfca30
Instruction Fuzzy Hash: A851D731A405169BCF24DF6CD8449BEBBA5BF64324B20822AE92AE73C4DF34DD40D790

Function 0057372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00573774
CoUninitialize.OLE32 ref: 0057377F
CoCreateInstance.OLE32(?,00000000,00000017,0058FB78,?), ref: 005737D9
IIDFromString.OLE32(?,?), ref: 0057384C
VariantInit.OLEAUT32(?), ref: 005738E4
VariantClear.OLEAUT32(?), ref: 00573936

Strings

NULL Pointer assignment, xrefs: 0057381E
Invalid parameter, xrefs: 00573865
Failed to create object, xrefs: 005737E4, 0057389A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 05a11a5349121fd97a217e3ac3bd4f67ff09a03da637265aa50097467ddfb223
Instruction ID: 34559812fad19817e97ccffae11e22d64f890a17626576f4ff593f42f6d5c86c
Opcode Fuzzy Hash: 05a11a5349121fd97a217e3ac3bd4f67ff09a03da637265aa50097467ddfb223
Instruction Fuzzy Hash: 97618F71608301AFD310DF54D849B6ABFE4FF88725F108809F98997291D770EE48EB92

Function 00563388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005633CF

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005633F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00563504
^ ERROR , xrefs: 0056349E
Line %d (File "%s"):, xrefs: 00563443, 0056345C
Incorrect parameters to object property !, xrefs: 005634AB
Error: , xrefs: 005634D1
"%s" (%d) : ==> %s:, xrefs: 00563522

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2b05e2d838219a7fce2ee2bbc383f55477ca7f7e0aa3d607993222c65d512da0
Instruction ID: 9fb4c37eed298fa812c72c154c02b8a8053efeb5dfe0319716366f020cd6d588
Opcode Fuzzy Hash: 2b05e2d838219a7fce2ee2bbc383f55477ca7f7e0aa3d607993222c65d512da0
Instruction Fuzzy Hash: EC51DD7180060AAADF15EBA1CD46EFEBB78BF14745F10406AF90573092EB392F58DB64

Function 00588B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

Part of subcall function 0050912D: GetCursorPos.USER32(?), ref: 00509141
Part of subcall function 0050912D: ScreenToClient.USER32(00000000,?), ref: 0050915E
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000001), ref: 00509183
Part of subcall function 0050912D: GetAsyncKeyState.USER32(00000002), ref: 0050919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00588B6B
ImageList_EndDrag.COMCTL32 ref: 00588B71
ReleaseCapture.USER32 ref: 00588B77
SetWindowTextW.USER32(?,00000000), ref: 00588C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00588C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00588CFF

Strings

p#\, xrefs: 00588C71
@GUI_DRAGFILE, xrefs: 00588C9A
@GUI_DROPID, xrefs: 00588C51

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#\
API String ID: 1924731296-509227506
Opcode ID: d0d8a3fabe29188735c18bfe15b921bdb817c9564a1e7bb494ad9bd6bf8a4dd2
Instruction ID: 099e4ddbd3ac63e6fe2c8d05728404717f99073b2f5f175e39f25c9660c825f5
Opcode Fuzzy Hash: d0d8a3fabe29188735c18bfe15b921bdb817c9564a1e7bb494ad9bd6bf8a4dd2
Instruction Fuzzy Hash: BB517A70104204AFD700EF15D85AFBA7BE4FB88754F40062DF9966B2E2DB709D08CB66

Function 0055B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0055B5FC
_wcslen.LIBCMT ref: 0055B608
_wcslen.LIBCMT ref: 0055B64D
_wcslen.LIBCMT ref: 0055B68C
_wcslen.LIBCMT ref: 0055B6C7

Strings

REMOVE, xrefs: 0055B602, 0055B607
APPEND, xrefs: 0055B6C1, 0055B6C6
EXISTS, xrefs: 0055B686, 0055B68B
KEYS, xrefs: 0055B647, 0055B64C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction ID: ba937458e2c5cfbbc91b41b8ea8d08b40aafd3703e48544d7ae9f199bc812bea
Opcode Fuzzy Hash: e84d0ea8d70d819371183352bea71dc0c736316cab8177877a0324ec9e01ee84
Instruction Fuzzy Hash: 5A41D632A000279ADB105F7DC8A45BE7FA5FFA0795B24422BEC21D7284E735CD85C790

Function 00565393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00565416
GetLastError.KERNEL32 ref: 00565420
SetErrorMode.KERNEL32(00000000,READY), ref: 005654A7

Strings

NOTREADY, xrefs: 0056544B
UNKNOWN, xrefs: 00565444
INVALID, xrefs: 00565459
READONLY, xrefs: 00565452
READY, xrefs: 00565460, 00565468

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction ID: faf0595bdb58ef6fef62e8f84f5dda677431af649ee32a30c620c53db27b9384
Opcode Fuzzy Hash: ca8dc4ca98fc7dced15ed36968d219e2a1d224faed69b3194b7caf9febd90ec0
Instruction Fuzzy Hash: F731B535A405059FCB10DF68C484BAA7FB4FF44306F1484A9E505DB252EF75DD86CB90

Function 00583C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00583C79
SetMenu.USER32(?,00000000), ref: 00583C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00583D10
IsMenu.USER32(?), ref: 00583D24
CreatePopupMenu.USER32 ref: 00583D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00583D5B
DrawMenuBar.USER32 ref: 00583D63

Strings

F, xrefs: 00583D4E
0, xrefs: 00583C54

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction ID: 62e4f9aa0be3b3c214dd7ec8a6cdde9788d0bedc0c0db694e4f348a6c7b382a8
Opcode Fuzzy Hash: 4bb00fcb1404dd742483245f0b78d0f32b2821df47c6b3da7431d22426489ef9
Instruction Fuzzy Hash: 7B418875A02209AFDF14DF64E884EAA7FB5FF49340F144029ED46A7360D730AA14DBA4

Function 00551EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00551F64
GetDlgCtrlID.USER32 ref: 00551F6F
GetParent.USER32 ref: 00551F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00551F8E
GetDlgCtrlID.USER32(?), ref: 00551F97
GetParent.USER32(?), ref: 00551FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00551FAE

Strings

ComboBox, xrefs: 00551EEC
ListBox, xrefs: 00551F21

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 05a730bc8386cc9e9c74c3276a7e170d7068e665438167759b708241648d24ef
Instruction ID: 20f12065c933f984bc9933906f288f401f6bea5af9e24a8bac8ac9649c22a334
Opcode Fuzzy Hash: 05a730bc8386cc9e9c74c3276a7e170d7068e665438167759b708241648d24ef
Instruction Fuzzy Hash: 2A21AC70900218ABCF04AFA5DC95AFEBFA8BF15350B00011AFD65AB2A1DB39590C9B74

Function 00551FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00552043
GetDlgCtrlID.USER32 ref: 0055204E
GetParent.USER32 ref: 0055206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0055206D
GetDlgCtrlID.USER32(?), ref: 00552076
GetParent.USER32(?), ref: 0055208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0055208D

Strings

ComboBox, xrefs: 00551FCD
ListBox, xrefs: 00552002

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 698c63327554e40c0f872314e05ae382ffa186ccddc5ae147c1a9f78224d3e60
Instruction ID: 6d36b20a2d9c7866499f0a53de289462cf3345c19d41b79afc5de8c32190596f
Opcode Fuzzy Hash: 698c63327554e40c0f872314e05ae382ffa186ccddc5ae147c1a9f78224d3e60
Instruction Fuzzy Hash: F121BE71900218BBCF14AFA5CC99AFEBFB8BF15340F000416BD55AB1A1EA79591CDB60

Function 00583A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00583A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00583AA0
GetWindowLongW.USER32(?,000000F0), ref: 00583AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00583AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00583B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00583BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00583BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00583BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00583BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00583C13

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction ID: ee436d0433da57165a14457d837fb46dceb41c6f51009a4a6ab4735138f8f821
Opcode Fuzzy Hash: 5bb917554b509d280f9e678af95026b7f13d50b7005db11dc995eb79f892fa4b
Instruction Fuzzy Hash: 76615C75900248AFDB10EFA8CC81EEE7BB8FF49700F104199FA15AB292D774AE45DB54

Function 0055B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B165
GetWindowThreadProcessId.USER32(00000000), ref: 0055B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0055A1E1,?,00000001), ref: 0055B21D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction ID: a5382adca7ba437c52653b1b37c6324fe800e785867d0785d9d509802b7dd2bc
Opcode Fuzzy Hash: 9d44ec63ee9a565eca5262de9d61329fe488dd975158048a67929d665cb057fa
Instruction Fuzzy Hash: EC318C76500A08AFEB109F64EC5CFAD7FA9BB61312F108056FE01E6190E7B49A48DF70

Function 00522C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00522C94

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 00522CA0
_free.LIBCMT ref: 00522CAB
_free.LIBCMT ref: 00522CB6
_free.LIBCMT ref: 00522CC1
_free.LIBCMT ref: 00522CCC
_free.LIBCMT ref: 00522CD7
_free.LIBCMT ref: 00522CE2
_free.LIBCMT ref: 00522CED
_free.LIBCMT ref: 00522CFB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction ID: 010a45b88fce28c24a2e6ab07e861a3b683559a0f24b402d7310d0b2b5a2d983
Opcode Fuzzy Hash: a5d198dcbc767c780b88cc20dc6b389015d93b1cb79568ffbf604fc41185d4c8
Instruction Fuzzy Hash: 9D11967A100119BFCB02EF54E986CDD3FA5FF4A350F8144A5F9485B262D631EE909B90

Function 00567DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00567FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00567FC1
GetFileAttributesW.KERNEL32(?), ref: 00567FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00568005
SetCurrentDirectoryW.KERNEL32(?), ref: 00568017
SetCurrentDirectoryW.KERNEL32(?), ref: 00568060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005680B0

Strings

*.*, xrefs: 00568066

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c1983cc4da365bdaecf93dceb171c6f965d60fe10aaeb0a80076ac5924a9c762
Instruction ID: 70ddb593e73b1e6d0d401927eaa6d9f3fbe47513b265a1fbf406525dcca287f4
Opcode Fuzzy Hash: c1983cc4da365bdaecf93dceb171c6f965d60fe10aaeb0a80076ac5924a9c762
Instruction Fuzzy Hash: 7E81B1725082099BCB20EF64C4549BABBE8BF88318F144D5EF885D7250EB36DD49CB52

Function 004F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004F5C7A

Part of subcall function 004F5D0A: GetClientRect.USER32(?,?), ref: 004F5D30
Part of subcall function 004F5D0A: GetWindowRect.USER32(?,?), ref: 004F5D71
Part of subcall function 004F5D0A: ScreenToClient.USER32(?,?), ref: 004F5D99

GetDC.USER32 ref: 005346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00534708
SelectObject.GDI32(00000000,00000000), ref: 00534716
SelectObject.GDI32(00000000,00000000), ref: 0053472B
ReleaseDC.USER32(?,00000000), ref: 00534733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005347C4

Strings

U, xrefs: 00534693

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction ID: 8de1d77d7b733ead68d2e19d6e49ac8bd1d17e334fd63fcdfb760a877a12e25d
Opcode Fuzzy Hash: 794c9b0474d704569bbe7093fa6083cc2830563c807033a9e7730d7c15499925
Instruction Fuzzy Hash: 2671F331400609DFCF218F64CD85ABA7FB5FF4A354F14426AEE566A2A6C334AC42DF60

Function 0056359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00563724
Line %d (File "%s"):, xrefs: 0056366B
^ ERROR, xrefs: 005636C9
Error: , xrefs: 005636EF
"%s" (%d) : ==> %s:, xrefs: 00563742

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c6c496e2f210f4c3b1ca2af1b084f7e4842069fe9ba004b3469efebedc0ba805
Instruction ID: f6442a95998ad63d9252d9d26f2fb5afda2e1ff4a076e4e6d5696c26a406a1c5
Opcode Fuzzy Hash: c6c496e2f210f4c3b1ca2af1b084f7e4842069fe9ba004b3469efebedc0ba805
Instruction Fuzzy Hash: FB517F7180060AAADF15EBA1CC42EFDBF74FF14745F14412AF60572191DB342B98DB64

Function 0056C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0056C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0056C2CA
GetLastError.KERNEL32 ref: 0056C322
SetEvent.KERNEL32(?), ref: 0056C336
InternetCloseHandle.WININET(00000000), ref: 0056C341

Strings

, xrefs: 0056C2BB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction ID: bff40205b03fada04bab52b6e7e18ab1b1714d34847ff1b37f3178b2a88d4de8
Opcode Fuzzy Hash: e7cd2fbdec0e8b9d7057c99520b84a60a7e2243a3ac4c91f1ae6e7c3020fc7dc
Instruction Fuzzy Hash: 01315AB1600208AFD7219F649888ABB7FFCFB59744B10891EA886E7200DB34DD089B70

Function 0055989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00533AAF,?,?,Bad directive syntax error,0058CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005598BC
LoadStringW.USER32(00000000,?,00533AAF,?), ref: 005598C3

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00559987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 005598F1
Error: , xrefs: 00559955
Line %d (File "%s"):, xrefs: 0055992D
., xrefs: 0055996D
Line %d:, xrefs: 00559912

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 62b0f6c93f4fdfe42e5a6356cf39e3e9037c2183f9a8a7cbeb74798fcdd81243
Instruction ID: 41bbf9dfed33519cefdcacd38c688dacb20afd2cee4dc08439dd092e1d2677e0
Opcode Fuzzy Hash: 62b0f6c93f4fdfe42e5a6356cf39e3e9037c2183f9a8a7cbeb74798fcdd81243
Instruction Fuzzy Hash: AB216F3180021EEBCF11EF90CC5AEED7B75BF14745F04442AFA15620A1EB79AA18DB20

Function 0055209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0055214D

Strings

list, xrefs: 0055212F
details, xrefs: 005520FB
smallicons, xrefs: 00552115
largeicons, xrefs: 005520E1
SHELLDLL_DefView, xrefs: 005520CC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction ID: ef5e9e5b67385a3f84463f5c2f63c8c112848645625a3a8a7e13c863cf4651fb
Opcode Fuzzy Hash: 268daed558611a6677929222a16830826c4505ecf7c227ca570ed2215b7167d6
Instruction Fuzzy Hash: 9A112776288B07BAF60562209C1BDE73F9CFF16325F201027FF05A40D1FE6168899B14

Function 0052CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0052CEB7
_free.LIBCMT ref: 0052CF22
_free.LIBCMT ref: 0052CF48
_free.LIBCMT ref: 0052CF71
_free.LIBCMT ref: 0052CFA9
_free.LIBCMT ref: 0052CFDA
_free.LIBCMT ref: 0052D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0052D09C
_free.LIBCMT ref: 0052D0B5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0c1c93b7a2a73fea16ab29c958af7b897b9849df92c4e31ecb5996f29c403296
Instruction ID: ef2b78d90c108d5a5594bcd345e99851ec0ea1192bd88f5eaabf87ffc3717944
Opcode Fuzzy Hash: 0c1c93b7a2a73fea16ab29c958af7b897b9849df92c4e31ecb5996f29c403296
Instruction Fuzzy Hash: 45614772904721AFDB21AFB4BD89A6E7FA5BF47310F04026DF905A72C2E6319D41D7A0

Function 005850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00585186
ShowWindow.USER32(?,00000000), ref: 005851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005851D1

Part of subcall function 00586FBA: DeleteObject.GDI32(00000000), ref: 00586FE6

GetWindowLongW.USER32(?,000000F0), ref: 0058520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0058521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0058524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00585287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00585296

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction ID: 7298ee47408b1a327f57c2ecd3d812354bdef7df465ff79c3813233fb1bf281b
Opcode Fuzzy Hash: 809cded524d96f7571e70b2f0fe09d90f4ba29c65eba0127d264ac7dc933cda4
Instruction Fuzzy Hash: A751AF34A50A09BEEF20AF24CC4EBD83F65FB45321F144011FE56BA2E1EB75A994DB50

Function 00508B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00546890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 00546901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00508874,00000000,00000000,00000000,000000FF,00000000), ref: 0054692D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction ID: 0cb28a0220c7d562f6baf7bca491ac6675ad50d3bfaba57b5aeca74f10f1c14a
Opcode Fuzzy Hash: 227066bec85f9e881dd3d2a2d809f1d8e595cc07bce9e0e56caf1c3acc3bce7f
Instruction Fuzzy Hash: 42518770600609EFDB20CF24CC55FAA7FB5FB99764F104528F992A62E0DB70E990EB50

Function 0056C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0056C182
GetLastError.KERNEL32 ref: 0056C195
SetEvent.KERNEL32(?), ref: 0056C1A9

Part of subcall function 0056C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0056C272
Part of subcall function 0056C253: GetLastError.KERNEL32 ref: 0056C322
Part of subcall function 0056C253: SetEvent.KERNEL32(?), ref: 0056C336
Part of subcall function 0056C253: InternetCloseHandle.WININET(00000000), ref: 0056C341

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction ID: 6176fecebb203fde120e7bf84beac70b6a582114d844a33746496ab264484260
Opcode Fuzzy Hash: bca2bac99e688890a4b46e0a22758e2e8d4f809e4e833b113fe9bed6fe2f82e7
Instruction Fuzzy Hash: 22316B75200605AFDB219FA5DC58A76BFE9FF68300B00851DFDDA93610DB31E818EBA0

Function 005525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00552601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00552605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0055260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00552623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00552627

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction ID: 538b519c8dc0bd0dc184490f212e1e3e3a7641293b075a0affc53f4ae2981d44
Opcode Fuzzy Hash: 6fdbe08c0d28201c6de4ae59e9534c6b2662bfb39593baca3e14efc0b1d4b53a
Instruction Fuzzy Hash: BA01B131290210BBFB106769DC9EF593F59EB9AB52F101012FB18AE0D5C9F22448DB79

Function 00551803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00551449,?,?,00000000), ref: 0055180C
HeapAlloc.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551828
GetCurrentProcess.KERNEL32(?,00000000,?,00551449,?,?,00000000), ref: 00551830
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 00551833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00551449,?,?,00000000), ref: 00551843
GetCurrentProcess.KERNEL32(00551449,00000000,?,00551449,?,?,00000000), ref: 0055184B
DuplicateHandle.KERNEL32(00000000,?,00551449,?,?,00000000), ref: 0055184E
CreateThread.KERNEL32(00000000,00000000,00551874,00000000,00000000,00000000), ref: 00551868

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction ID: 2ab21b36c8093d5196edc55d6b01a72bd1e70fbe59d3a3e51eb644a8a1fc209c
Opcode Fuzzy Hash: c313e10c575205d6b2a9e9d469979a89eae6b49a0311402c85dce0402b62db20
Instruction Fuzzy Hash: F801A8B5240308BFE610ABA5DC8DF6B3FACEB99B11F005411FA05EB2A1DA719804DB30

Function 00523E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00523F0B
__alldvrm.LIBCMT ref: 0052410C
__alldvrm.LIBCMT ref: 0052412E

Strings

}}Q, xrefs: 005240CD
}}Q, xrefs: 00523E8A
}}Q, xrefs: 00523E96, 00523EF1, 00523F0A, 00524090

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}Q$}}Q$}}Q
API String ID: 1036877536-2405922197
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 60caa41f3ffdb4d8041e1cf502c9586d237307678e480b49c28f389b16747ba0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 05A14771E006A69FD715CF28E8857AEBFE4FF63350F18456DE5859B2C1C2389981CB50

Function 0057A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0055D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0055D501
Part of subcall function 0055D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0055D50F
Part of subcall function 0055D4DC: CloseHandle.KERNELBASE(00000000), ref: 0055D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A16D
GetLastError.KERNEL32 ref: 0057A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0057A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0057A268
GetLastError.KERNEL32(00000000), ref: 0057A273
CloseHandle.KERNEL32(00000000), ref: 0057A2C4

Strings

SeDebugPrivilege, xrefs: 0057A18F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction ID: e3ac0d7f84090d0f27413adde95e6bc7ece611d955481d386ed379ed528282ca
Opcode Fuzzy Hash: d70280232c5ab24bdf01e82608d0567f77c1c4745ff9daa9778c6586b6f0afc2
Instruction Fuzzy Hash: 34618C35204242AFD710DF19D494F29BFA1BF94318F54C48CE86A8B6A3C776EC49DB92

Function 00583886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00583925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0058393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00583954
_wcslen.LIBCMT ref: 00583999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005839F4

Strings

SysListView32, xrefs: 005838F7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction ID: df26690ccc0f10287d89e8d374f12374df7a0fba01ee95c3d21a2348ad2253ff
Opcode Fuzzy Hash: 72bc5ea1137186df1b9b8de0cbfed1d23afc5f3ee038f49629924016027da893
Instruction Fuzzy Hash: 6841A171A00219ABEB21AF64CC49FEA7FA9FF48750F100526F958F7281D7719A84CB94

Function 0055BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0055BCFD
IsMenu.USER32(00000000), ref: 0055BD1D
CreatePopupMenu.USER32 ref: 0055BD53
GetMenuItemCount.USER32(00F3DB18), ref: 0055BDA4
InsertMenuItemW.USER32(00F3DB18,?,00000001,00000030), ref: 0055BDCC

Strings

0, xrefs: 0055BCA8
2, xrefs: 0055BD37

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction ID: bacd08cd6d5e4f4e4e8a44f4c9f57c471bdb2eeac0aaaf21b9dc8654432a4860
Opcode Fuzzy Hash: f0cf7964c9b63ca6dc91a24ae8ff81054a04db577de6613c06dfed0ad383b481
Instruction Fuzzy Hash: 6451AF70A002099BEF10CFA8D8ACBAEBFF4BF95316F14451AEC51E7290D7719948CB61

Function 00512D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00512D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00512D53
_ValidateLocalCookies.LIBCMT ref: 00512DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00512E0C
_ValidateLocalCookies.LIBCMT ref: 00512E61

Strings

csm, xrefs: 00512DF6
&HQ, xrefs: 00512DFE, 00512E07, 00512E18

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HQ$csm
API String ID: 1170836740-3952113351
Opcode ID: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction ID: 0035aaa44fef48e89856006cc17398d7247a423b762a0035dc16955f89d5b125
Opcode Fuzzy Hash: 12679fea1ebb813971813df84cc972156423dac9fa7e9a5a8eaa85fd2b40592c
Instruction Fuzzy Hash: E841C634A00209AFDF10DF68D859ADEBFB5BF44324F148155E8146B392D731AEA6CBD0

Function 0055C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0055C913

Strings

blank, xrefs: 0055C895
warning, xrefs: 0055C8FC
stop, xrefs: 0055C8E4
info, xrefs: 0055C8B4
question, xrefs: 0055C8CC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction ID: d68e84e1c5f0fbf48ed38829401603b9d0d3d6dae01cbd775e7a6264d7806301
Opcode Fuzzy Hash: 5b0042f266f082b3388b2a862c047e6fd846f25c00bd05947b5bdcc779496583
Instruction Fuzzy Hash: 42113D32689307BFE7005B149C93CEA6FACFF15716B20002BFD00A62C2DB747D845664

Function 0055DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0055DE42
gethostname.WSOCK32(?,00000100), ref: 0055DE5C
gethostbyname.WSOCK32(?), ref: 0055DE69
inet_ntoa.WSOCK32(?), ref: 0055DEAB
_strcat.LIBCMT ref: 0055DEB9
WSACleanup.WSOCK32 ref: 0055DEDE

Strings

0.0.0.0, xrefs: 0055DE87

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5598e22f5900da5221ebe0292ac06320f02144ee873c6330f56932f56b5a28e6
Instruction ID: 7c28a31f412502d1025c32b7b25a1374585f204598dcd66911eb6d12f7dbdd46
Opcode Fuzzy Hash: 5598e22f5900da5221ebe0292ac06320f02144ee873c6330f56932f56b5a28e6
Instruction Fuzzy Hash: 7111E73250411AABDB30AB209C0BEEE7FBCFB51712F00016AF905E6091EF748A859B70

Function 00589F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetSystemMetrics.USER32(0000000F), ref: 00589FC7
GetSystemMetrics.USER32(0000000F), ref: 00589FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0058A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0058A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0058A263
ShowWindow.USER32(00000003,00000000), ref: 0058A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0058A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0058A2CA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e98083fce318ab711ae2d5488983a9c2d982638b825739266ebebe0ac6091df4
Instruction ID: 84b729fa5b4639829d0d0eb24158cb9061a1e0878271f6fc7571f2e2b779d9b3
Opcode Fuzzy Hash: e98083fce318ab711ae2d5488983a9c2d982638b825739266ebebe0ac6091df4
Instruction Fuzzy Hash: D2B1BC35600215DFEF24DF68C989BAE7BB2FF44701F08806AEC46AF295D731A940CB61

Function 0055ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0055ED2A
_wcslen.LIBCMT ref: 0055ED3B
_wcslen.LIBCMT ref: 0055ED79
_wcslen.LIBCMT ref: 0055EDAF
_wcslen.LIBCMT ref: 0055EDDF
_wcslen.LIBCMT ref: 0055EDEF
_wcslen.LIBCMT ref: 0055EE2B
_wcslen.LIBCMT ref: 0055EE5A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction ID: 2208ee58973c4c6f796c416478514749fbeb27ba00a4d5308826ebc515507af0
Opcode Fuzzy Hash: 64ebdbda4f15e207ace82a1665ecfdd446f2f7ef6129edb4ddc3bdf4f719ab95
Instruction Fuzzy Hash: 35418069C1021965DB11EBB4888F9CFBBBCBF85710F508466E924E3122EB34E395C7A5

Function 0050F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0050F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0054F454

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction ID: b04a459d046cad3db4961ca95c272064ca1c1fb0585987bd5d76ff0d58c2d3b3
Opcode Fuzzy Hash: 7c1877df8d7f36fe7566497a6c2a46137c8028821fcedd535a49f3e9b2268bb1
Instruction Fuzzy Hash: 6D412A31608680BEDB398F2DD88CB6E7F91BB96314F144C3DE48762DE1D631A885DB11

Function 00582D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00582D1B
GetDC.USER32(00000000), ref: 00582D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00582D2E
ReleaseDC.USER32(00000000,00000000), ref: 00582D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00582D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00582D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00585A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00582DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00582DE1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction ID: 3d97e1aced6e0bc754b0bb03aae7b2adc2025ad77fb8aba002ababea8b388dbb
Opcode Fuzzy Hash: 21dd32bbd6f195b68a8652706f317063bd93affac5d98cb34cac2684038bbba7
Instruction Fuzzy Hash: 1B318B76201214BBEB119F548C8AFEB3FA9FF19751F044065FE08AE291D6759C45CBB0

Function 00555622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555637
_memcmp.LIBVCRUNTIME ref: 00555659
_memcmp.LIBVCRUNTIME ref: 00555671
_memcmp.LIBVCRUNTIME ref: 00555684
_memcmp.LIBVCRUNTIME ref: 0055569E
_memcmp.LIBVCRUNTIME ref: 005556B1
_memcmp.LIBVCRUNTIME ref: 005556C9
_memcmp.LIBVCRUNTIME ref: 005556E4

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction ID: 7bdde14fac3e6049a9f3f9d31768ef6a5724d478ba11c68d0d5e4286ab1842ba
Opcode Fuzzy Hash: 9f48df24cea49bc33c6931360d103ff547a2107fcb87fcb5ece7237835458c09
Instruction Fuzzy Hash: FF212C61744D0EB7E21465118DB2FFA3F5CBF54386F540422FE066A541F720EE1883A9

Function 00531522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005315CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00531651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005316E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005316FB

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00531777
__freea.LIBCMT ref: 005317A2
__freea.LIBCMT ref: 005317AE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction ID: d8996ac19affbdbef217f4a5b1f9c4ebadf0e5c13710174426dd0768a56cf55b
Opcode Fuzzy Hash: 06b79fddda4df28191284e037d1dd75029be1db08b7f53dff9b5e10727643871
Instruction Fuzzy Hash: DC91A271E00A169ADF218FB4C985AEE7FB5FF89310F184659E802E7281DB35DC44CB68

Function 00574523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00574648
VariantInit.OLEAUT32(?), ref: 00574749
VariantClear.OLEAUT32(?), ref: 00574753
VariantClear.OLEAUT32(?), ref: 005747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0057472C
Null Object assignment in FOR..IN loop, xrefs: 005745D8, 00574706, 005747BE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f011cf8526376d4c51e8a15726f860fa40eceb42d9b7d659573503eb97a46ecc
Instruction ID: 409a887adc2d1eb63a3a8315f633190dd9d072b6dc7136a4da63350d9f4bf8e3
Opcode Fuzzy Hash: f011cf8526376d4c51e8a15726f860fa40eceb42d9b7d659573503eb97a46ecc
Instruction Fuzzy Hash: 4A919171A00219ABDF24CFA4D888FAEBFB8FF85710F108559F509AB280D7709941DFA0

Function 00561187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0056125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00561284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0056135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00561430

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0590352521fae45622ff05af5320aa9ec5c9ae33dfdce37ee855cf9087ed2344
Instruction ID: 16b57d0e7682ba628b1a1ae7d5f2816bfd91d61d37951d0db6d03c9f2144e6c7
Opcode Fuzzy Hash: 0590352521fae45622ff05af5320aa9ec5c9ae33dfdce37ee855cf9087ed2344
Instruction Fuzzy Hash: 54912675A006099FDB00DFA5C885BBEBBB5FF84315F184429E901EB291DB74ED41CB98

Function 0050948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction ID: 57616fe2505f8aa4fd535fcab68922c3b4ca74b61a25691c200d3878dd37f7a7
Opcode Fuzzy Hash: 18c05bb4bc090199f817d065fd96529155fd4184d815e3637037513a7f043667
Instruction Fuzzy Hash: 78912771900219EFCB10CFA9CC88AEEBFB8FF49324F148555E915B7296D374A941CB60

Function 00573947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057396B
CharUpperBuffW.USER32(?,?), ref: 00573A7A
_wcslen.LIBCMT ref: 00573A8A
VariantClear.OLEAUT32(?), ref: 00573C1F

Part of subcall function 00560CDF: VariantInit.OLEAUT32(00000000), ref: 00560D1F
Part of subcall function 00560CDF: VariantCopy.OLEAUT32(?,?), ref: 00560D28
Part of subcall function 00560CDF: VariantClear.OLEAUT32(?), ref: 00560D34

Strings

Incorrect Parameter format, xrefs: 005739A6, 00573BA1
AUTOIT.ERROR, xrefs: 00573A80, 00573A85

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b5209949bd2cb672fdc1b8a332f2e6d6719e05628a3116f73bb1dff3274d99b4
Instruction ID: a5fa21a821770273385c04aeeecb56ffc73cd42aa1f5945f52ed41b43e3259e2
Opcode Fuzzy Hash: b5209949bd2cb672fdc1b8a332f2e6d6719e05628a3116f73bb1dff3274d99b4
Instruction Fuzzy Hash: 0F9168756083059FC704EF24D48596ABBE4FF88324F14886EF8899B351DB30EE45EB92

Function 00574BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0055000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
Part of subcall function 0055000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
Part of subcall function 0055000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
Part of subcall function 0055000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00574C51
_wcslen.LIBCMT ref: 00574D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00574DCF
CoTaskMemFree.OLE32(?), ref: 00574DDA

Strings

NULL Pointer assignment, xrefs: 00574E23, 00574E52

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction ID: cd9e3f37c6bac56d21f549be7d86cba5542d4e2fb18370a860abf0b5573d1710
Opcode Fuzzy Hash: 238ead6cbfec1b4e84639642c84cf4d7ad676df7b674385ec4c427c5c43ddee4
Instruction Fuzzy Hash: 38913871D0021D9FDF10DFA4D891AEEBBB8BF08314F10856AE919A7281DB349E44DF60

Function 005820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00582183
GetMenuItemCount.USER32(00000000), ref: 005821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005821DD
_wcslen.LIBCMT ref: 00582213
GetMenuItemID.USER32(?,?), ref: 0058224D
GetSubMenu.USER32(?,?), ref: 0058225B

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005822E3

Part of subcall function 0055E97B: Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 31a72143a16b3d3d5ec4f35f5274b39c1e8c09fcf9d29f78d7401e4824d395bd
Instruction ID: f745c9378fa764344d7a8fe5ce7c9d1384b1d358e3844601da03f0d5462cf804
Opcode Fuzzy Hash: 31a72143a16b3d3d5ec4f35f5274b39c1e8c09fcf9d29f78d7401e4824d395bd
Instruction Fuzzy Hash: 2F714C75A00205AFCB14EF65C885AAEBFF5BF88314F148469E916FB351DB34A941CBA0

Function 00587E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F3DB90), ref: 00587F37
IsWindowEnabled.USER32(00F3DB90), ref: 00587F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0058801E
SendMessageW.USER32(00F3DB90,000000B0,?,?), ref: 00588051
IsDlgButtonChecked.USER32(?,?), ref: 00588089
GetWindowLongW.USER32(00F3DB90,000000EC), ref: 005880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005880C3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 64d5e50fc1aade5f189694422511f8fef9f01d17a22782013b8a5e82a53693e6
Instruction ID: e66c136cffdfe694efa65b8d3a7b72e021e987df8ac2af70900c93fe3641590e
Opcode Fuzzy Hash: 64d5e50fc1aade5f189694422511f8fef9f01d17a22782013b8a5e82a53693e6
Instruction Fuzzy Hash: B7719E34608248AFEB21AF65C888FBA7FB5FF19300F244459EE55A7261CB31E845DB20

Function 0055AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0055AEF9
GetKeyboardState.USER32(?), ref: 0055AF0E
SetKeyboardState.USER32(?), ref: 0055AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0055AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0055AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0055AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0055B020

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction ID: 2f79d17ec346a98eafacd813a555e189f0e16a3f46c9cf48e60ac0838278f7a0
Opcode Fuzzy Hash: 44ce816090e194e86be5f31bb4cff7ddd7892013432d6a2532015cefa193e4a4
Instruction Fuzzy Hash: 085104A06043D13DFB3242348C69BBABEA96F06305F08858AE9D9554D3D398ACCCD361

Function 0055ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0055AD19
GetKeyboardState.USER32(?), ref: 0055AD2E
SetKeyboardState.USER32(?), ref: 0055AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0055ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0055ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0055AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0055AE38

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction ID: e243678e07a9c34d18f8413dfddd69b37db9465e8ec1bacfeaf0f32f5c91c2c5
Opcode Fuzzy Hash: d64a938074b66d71ba86335b86d989875427caf28455e7bbe55e103e5a1fa8d2
Instruction Fuzzy Hash: D15108A15047D53DFB3393348C66B7ABEA87B45302F08868AE9D5568C2D394EC8CD762

Function 0052542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00533CD6,?,?,?,?,?,?,?,?,00525BA3,?,?,00533CD6,?,?), ref: 00525470
__fassign.LIBCMT ref: 005254EB
__fassign.LIBCMT ref: 00525506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00533CD6,00000005,00000000,00000000), ref: 0052552C
WriteFile.KERNEL32(?,00533CD6,00000000,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 0052554B
WriteFile.KERNEL32(?,?,00000001,00525BA3,00000000,?,?,?,?,?,?,?,?,?,00525BA3,?), ref: 00525584

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction ID: c4a0c4033cf1dd82cad9841fd81741100a9ed1a911799fd9e7fbcbc6be865c7c
Opcode Fuzzy Hash: ab8f9c63cb740525c0e727126bc9d47ca444b41ad563a5281b79dfaaf0990ea6
Instruction Fuzzy Hash: FE51B171A006199FDB10CFA8E885AEEBFF9FF1A301F14451AF955E72D1E6309A41CB60

Function 005710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057304E: inet_addr.WSOCK32(?), ref: 0057307A
Part of subcall function 0057304E: _wcslen.LIBCMT ref: 0057309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00571112
WSAGetLastError.WSOCK32 ref: 00571121
WSAGetLastError.WSOCK32 ref: 005711C9
closesocket.WSOCK32(00000000), ref: 005711F9

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction ID: e9b0c1fb97e81a9590989159dd5157cb62bbf86167a8fbf757add90597752f32
Opcode Fuzzy Hash: 6cd4e1b775ffed42966668538635dad0cb5bfe31128e12a3fdab2eda9a9d5f6a
Instruction Fuzzy Hash: 30410331600608AFDB109F28D884BA9BFE9FF45328F54C059FD0AAF291C774AD45DBA5

Function 0055CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

lstrcmpiW.KERNEL32(?,?), ref: 0055CF45
MoveFileW.KERNEL32(?,?), ref: 0055CF7F
_wcslen.LIBCMT ref: 0055D005
_wcslen.LIBCMT ref: 0055D01B
SHFileOperationW.SHELL32(?), ref: 0055D061

Strings

\*.*, xrefs: 0055CFF3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 18843b0866532f8e2c0ee0e902c0542e9b00b9b77081304c47c43a10c210e064
Instruction ID: 799d8d923e72dd5e914bf7ff03680f90a3e7499909945f3354edc6e0a583ab7a
Opcode Fuzzy Hash: 18843b0866532f8e2c0ee0e902c0542e9b00b9b77081304c47c43a10c210e064
Instruction Fuzzy Hash: BA4144719052195FDF12EBA4D995ADDBFB8BF48381F0000E7E905EB141EA34A788CB50

Function 00582DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00582E1C
GetWindowLongW.USER32(?,000000F0), ref: 00582E4F
GetWindowLongW.USER32(?,000000F0), ref: 00582E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00582EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00582EE0
GetWindowLongW.USER32(?,000000F0), ref: 00582EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00582F0B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction ID: 1883cbe420c706ec1a571a4735707ef00f147405ea494dd17a19b3a282ebec61
Opcode Fuzzy Hash: 8f4c55b56e5e3c009d78baece423fe69addf12410e43a8c21c7597f32f1964bc
Instruction Fuzzy Hash: F3312430604640AFDB21EF19DC84F653FE8FBAA710F141165F900AF2B2CB71A848EB18

Function 00557726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0055778F
SysAllocString.OLEAUT32(00000000), ref: 00557792
SysAllocString.OLEAUT32(?), ref: 005577B0
SysFreeString.OLEAUT32(?), ref: 005577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005577DE
SysAllocString.OLEAUT32(?), ref: 005577EC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3c8813083ad2c067a97b30ac643eb7c909237ee8e4a1d77337a4789151991f61
Instruction ID: b42665c6a2a3c05dc8c67a88e247d895d5440c25b10c0c2410fbb58cd674cdd6
Opcode Fuzzy Hash: 3c8813083ad2c067a97b30ac643eb7c909237ee8e4a1d77337a4789151991f61
Instruction Fuzzy Hash: 92219F76614219AFDF10DFA8EC88CBA7BACFB0D3657048426BD14DB1A0D6709C498760

Function 005577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00557868
SysAllocString.OLEAUT32(00000000), ref: 0055786B
SysAllocString.OLEAUT32 ref: 0055788C
SysFreeString.OLEAUT32 ref: 00557895
StringFromGUID2.OLE32(?,?,00000028), ref: 005578AF
SysAllocString.OLEAUT32(?), ref: 005578BD

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4b6c1870ee732a46f272798022d495d84886057f997b21f9112b9b9e33c9585f
Instruction ID: 76d1660f988e9d83e28bcd7cbd61ee7558e0a86d6ae15cfc7313cb0c1dc93225
Opcode Fuzzy Hash: 4b6c1870ee732a46f272798022d495d84886057f997b21f9112b9b9e33c9585f
Instruction Fuzzy Hash: 09218131604118AFDF109BA8EC9CDAA7BACFB0C3617108126BD15DB2A1D670DC49CB74

Function 005604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0056052E

Strings

nul, xrefs: 00560567

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction ID: 2dd1017d706fab86ad719139c997ad94116bafbecf45225f329b64205c54d1d4
Opcode Fuzzy Hash: 68169ce65331f6e4791e3a3e73e2e9c7fbfbc9aca7dfb1ebe9a8600d23259afd
Instruction Fuzzy Hash: BE215C75600305ABDF209F29DC44AAB7FA4BF64724F205A19F8A2E72E0E7709944DF20

Function 005605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00560601

Strings

nul, xrefs: 00560639

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction ID: 31b906b6bb4d403c0beff12745400c19514f80461cacb76a8a7304744f051543
Opcode Fuzzy Hash: 7d699386046f7657db1b2be9c6dadf69f37da132bc853f74976858236fe0ad80
Instruction Fuzzy Hash: 7F2151755003059BDB209F69DC44AAB7FE4BF95720F201A19FCA1E72E0D7B09961DB20

Function 005840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00584112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0058411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0058412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00584139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00584145

Strings

Msctls_Progress32, xrefs: 005840E3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction ID: 37c167e4c2c78ac3e6aa5d1e98b997d236c7441cfda94794a3910821aa614617
Opcode Fuzzy Hash: f02a544d83e7568ae914d654fe450e13d13d9ea952d7daf483c5e46d4a6bcf5c
Instruction Fuzzy Hash: 671190B215021EBEEF119F64CC85EE77F5DFF18798F014111BA18A6090CA769C21DBA4

Function 0052D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0052D7A3: _free.LIBCMT ref: 0052D7CC

_free.LIBCMT ref: 0052D82D

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D838
_free.LIBCMT ref: 0052D843
_free.LIBCMT ref: 0052D897
_free.LIBCMT ref: 0052D8A2
_free.LIBCMT ref: 0052D8AD
_free.LIBCMT ref: 0052D8B8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3dbe6212fc4485eb7f410a970959c79be8919209bf0380ab29a7a80fe44a6126
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B3113072540725BAD521BFB0EC4BFCB7FECBF86700F440815B29DA60D2D66DB5854660

Function 0055DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0055DA74
LoadStringW.USER32(00000000), ref: 0055DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0055DA91
LoadStringW.USER32(00000000), ref: 0055DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0055DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0055DAB9

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction ID: d2c2601c55b35c1a7ffa06019a5ec8632870077869c77148b81507dfd9d88921
Opcode Fuzzy Hash: ee44e8acaf1f155411912a177c20a2926538283d0b8e2ad17ce737a0c472a15d
Instruction Fuzzy Hash: EC0162F25002087FEB10ABA4DD89EEB3A6CF708301F4014A6BB06F2041E6749E888F74

Function 0056096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F2D048,00F2D048), ref: 0056097B
EnterCriticalSection.KERNEL32(00F2D028,00000000), ref: 0056098D
TerminateThread.KERNEL32(?,000001F6), ref: 0056099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005609A9
CloseHandle.KERNEL32(?), ref: 005609B8
InterlockedExchange.KERNEL32(00F2D048,000001F6), ref: 005609C8
LeaveCriticalSection.KERNEL32(00F2D028), ref: 005609CF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction ID: f4cbda73cab2cd8ffb0c1e5224cbe517bbe089c12e0b3fc7f8209d92167989da
Opcode Fuzzy Hash: 8b343081d708f913b3d32a4e90cc828299d2a29f2252de6dea2a38be5577746f
Instruction Fuzzy Hash: A9F01D31442902ABD7415B94EE8CAD67F25BF11712F403015F502618E0C7749469DFA0

Function 00571C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00571DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00571DE1
WSAGetLastError.WSOCK32 ref: 00571DF2
htons.WSOCK32(?), ref: 00571EDB
inet_ntoa.WSOCK32(?), ref: 00571E8C

Part of subcall function 005539E8: _strlen.LIBCMT ref: 005539F2

Part of subcall function 00573224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0056EC0C), ref: 00573240

_strlen.LIBCMT ref: 00571F35

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: bcea88341ce7e3894e2e79bee4f4fcb946dc70cb0505e5c162d8fbfb1b666055
Instruction ID: 3e718931263d1c0f4564ad6088b25149faa8b3e8f6cf58e65b691467263f5b84
Opcode Fuzzy Hash: bcea88341ce7e3894e2e79bee4f4fcb946dc70cb0505e5c162d8fbfb1b666055
Instruction Fuzzy Hash: A5B1E070204700AFC324EF29D895E3A7BA9BF84318F54894CF55A5B2E2CB31ED45CBA5

Function 004F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004F5D30
GetWindowRect.USER32(?,?), ref: 004F5D71
ScreenToClient.USER32(?,?), ref: 004F5D99
GetClientRect.USER32(?,?), ref: 004F5ED7
GetWindowRect.USER32(?,?), ref: 004F5EF8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2bce184be1cdc413a74e59ad3a29a0e852771696e44d70120330b1b001559ee8
Instruction ID: 7a0b3212865949888d6bf82260880491a08827c2598140a9f7ac562750a522fa
Opcode Fuzzy Hash: 2bce184be1cdc413a74e59ad3a29a0e852771696e44d70120330b1b001559ee8
Instruction Fuzzy Hash: 73B17935A00A4ADBDB10CFA9C4807FEBBF1FF58310F14941AEAA9D7250DB34AA51DB54

Function 005201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005200D6
__allrem.LIBCMT ref: 005200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0052010B
__allrem.LIBCMT ref: 00520122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00520140

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: fdcb23850a64eaa0212bbbec82f343c887ce09a75742cbe89d9d3ef85037e231
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 72812776A01B269BF7209F38DC45BAB7BE9BF82320F24453AF511D62C2E7B0D9418750

Function 005261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005182D9,005182D9,?,?,?,0052644F,00000001,00000001,8BE85006), ref: 00526258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0052644F,00000001,00000001,8BE85006,?,?,?), ref: 005262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005263D8
__freea.LIBCMT ref: 005263E5

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

__freea.LIBCMT ref: 005263EE
__freea.LIBCMT ref: 00526413

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction ID: 737eadab35e5d1fc694a60baf68060e9b1535a0fa29bcf37efac769809aca680
Opcode Fuzzy Hash: ac409ea5a3b13ea1375297f0de49ace24e43ff4d38ef74baaded3a1151e66508
Instruction Fuzzy Hash: 9251CE72600226ABEB258E64EC85EAF7FA9FF96710F154A29FC05D71C0DB34DC44C6A0

Function 0057BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BD25
RegCloseKey.ADVAPI32(00000000), ref: 0057BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0057BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0057BDF3
RegCloseKey.ADVAPI32(?), ref: 0057BDFF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: e065752a0e84160748ed57efe37d21ecf640cbcee8986ad0ca6680d817969e93
Instruction ID: 15e37082e9d0915acecd01726a15784ddc766152c88cfb5cbf34eebbfec57708
Opcode Fuzzy Hash: e065752a0e84160748ed57efe37d21ecf640cbcee8986ad0ca6680d817969e93
Instruction Fuzzy Hash: 5F81AA70208241AFD714DF24D885F2ABBE9FF84348F14896DF5598B2A2DB31ED05DB92

Function 0054F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0054F7B9
SysAllocString.OLEAUT32(00000001), ref: 0054F860
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F889
VariantClear.OLEAUT32(0054FA64), ref: 0054F8AD
VariantCopy.OLEAUT32(0054FA64,00000000), ref: 0054F8B1
VariantClear.OLEAUT32(?), ref: 0054F8BB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fc307f06b8517bbb1cdb42cde1bc0ebc3917302b7c0d0fce7a7b54d04df33d79
Instruction ID: 8992eaee210485d61d0f3faec98c3d22d722b4e290d84537ede89ded14eb7014
Opcode Fuzzy Hash: fc307f06b8517bbb1cdb42cde1bc0ebc3917302b7c0d0fce7a7b54d04df33d79
Instruction Fuzzy Hash: ED51EA31A00311BACF24AF69D895BB9BBA4FF85318F145867E905DF291D7748C40C7A6

Function 0056910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005694E5
_wcslen.LIBCMT ref: 00569506
_wcslen.LIBCMT ref: 0056952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00569585

Strings

X, xrefs: 00569412

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1bbe70b6d9a31fa64b8322f9a5a8c4033bde57da4a81478522ec496b6de706e5
Instruction ID: 9bd1d210f22fee874e9a2ada4d1951cb8f26fc20652b2ab841e23469133d342b
Opcode Fuzzy Hash: 1bbe70b6d9a31fa64b8322f9a5a8c4033bde57da4a81478522ec496b6de706e5
Instruction Fuzzy Hash: 23E1B131604341DFD724EF25C485A6ABBE4FF85318F04896DF9899B2A2DB34DD05CB92

Function 0050920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

BeginPaint.USER32(?,?,?), ref: 00509241
GetWindowRect.USER32(?,?), ref: 005092A5
ScreenToClient.USER32(?,?), ref: 005092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005092D3
EndPaint.USER32(?,?,?,?,?), ref: 00509321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005471EA

Part of subcall function 00509339: BeginPath.GDI32(00000000), ref: 00509357

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction ID: 312c4b34ef24f1227f7115fee108c68535016a792fffa24513f16abebf38a108
Opcode Fuzzy Hash: 9828885408a05f3f1fe63bd79c00f62e3230c4021dcf80c4041fee6bfb9d87bb
Instruction Fuzzy Hash: 84419D70104701AFD721DF24CC88FAA7FB8FB9A324F140629F994972E2C7719849EB61

Function 005607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0056080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00560847
EnterCriticalSection.KERNEL32(?), ref: 00560863
LeaveCriticalSection.KERNEL32(?), ref: 005608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00560921

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fb0788ac8d16a3f7cb62c88620b1fa42b300eeebd6373d8b2c067704cd45457e
Instruction ID: 378923174b4d61bf996b3d35f13f9978c979f59d55484d8d8da663c35a3dac02
Opcode Fuzzy Hash: fb0788ac8d16a3f7cb62c88620b1fa42b300eeebd6373d8b2c067704cd45457e
Instruction Fuzzy Hash: B7414871900205EBDF14EF54DC89AAA7BB9FF44310F1440A9ED01AB297DB30EE65DBA0

Function 005881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0054F3AB,00000000,?,?,00000000,?,0054682C,00000004,00000000,00000000), ref: 0058824C
EnableWindow.USER32(?,00000000), ref: 00588272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005882D1
ShowWindow.USER32(?,00000004), ref: 005882E5
EnableWindow.USER32(?,00000001), ref: 0058830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0058832F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction ID: c183bea16e00793ce0deb0960ad7ddc5aa98bfef3d0ec6672b406db4f3f80278
Opcode Fuzzy Hash: ebd046c00fe98e1c8751b07573bdce898518f679a789db216f157131c89f1605
Instruction Fuzzy Hash: 8641C438601A40AFDB22EF15CC99FB47FE0FB16714F581168ED09AF262CB31A845DB50

Function 00554C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00554C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00554CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00554CEA
_wcslen.LIBCMT ref: 00554D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00554D10
_wcsstr.LIBVCRUNTIME ref: 00554D1A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 66bb65fdd81867cddeb061f6d397beef1a1c2a9424a433cb775906f91c273fed
Instruction ID: ce317a7af72ba3367614fc80029eb14353b3357d2feb817457db9e3f1eeba64f
Opcode Fuzzy Hash: 66bb65fdd81867cddeb061f6d397beef1a1c2a9424a433cb775906f91c273fed
Instruction Fuzzy Hash: 4721C531204201BBEB259B2ADC59A7F7FACEF85755F10403AFC05DE191EA61DC849BA0

Function 0056581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F3A97,?,?,004F2E7F,?,?,?,00000000), ref: 004F3AC2

_wcslen.LIBCMT ref: 0056587B
CoInitialize.OLE32(00000000), ref: 00565995
CoCreateInstance.OLE32(0058FCF8,00000000,00000001,0058FB68,?), ref: 005659AE
CoUninitialize.OLE32 ref: 005659CC

Strings

.lnk, xrefs: 00565876, 005658C1, 00565985

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 59b4619d8681e0253cc16639c290c67bd5661dee837c4cac6352fb89a08926f8
Instruction ID: aeb4f912193719970a418a25468c99204a6ce384d741fdaa7193d51aadb335a0
Opcode Fuzzy Hash: 59b4619d8681e0253cc16639c290c67bd5661dee837c4cac6352fb89a08926f8
Instruction Fuzzy Hash: CCD172706087059FC714DF25C480A2ABBE5FF89718F14885EF98A9B361EB35EC45CB92

Function 0055175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00550FCA
Part of subcall function 00550FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00550FD6
Part of subcall function 00550FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00550FE5
Part of subcall function 00550FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00550FEC
Part of subcall function 00550FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00551002

GetLengthSid.ADVAPI32(?,00000000,00551335), ref: 005517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005517BA
HeapAlloc.KERNEL32(00000000), ref: 005517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005517DA
GetProcessHeap.KERNEL32(00000000,00000000,00551335), ref: 005517EE
HeapFree.KERNEL32(00000000), ref: 005517F5

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction ID: 3d40541e99c97819995c6280f5d12f6db01f643f1ac2543b25646bbb1c795d2a
Opcode Fuzzy Hash: 26efad846c63e57738e42b6c6e2a8dca805a66b83ac37db0791ba3be3980190e
Instruction Fuzzy Hash: 6F11BE31520A05FFDB149FA8CC99BAE7FA9FF49356F10411AFC41A7210C735A948DB68

Function 005514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00551506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00551515
CloseHandle.KERNEL32(00000004), ref: 00551520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0055154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00551563

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction ID: 016a3142e12504b8ac31d17696d8cfcc22efb78182001d0e2a2f77118b122c66
Opcode Fuzzy Hash: 65d91191d709f816eb544c816931edba903f3d824f59a08f176c42ca4d2b903b
Instruction Fuzzy Hash: 10116472100209EBDF118FA8ED09FDE3FA9FB48749F044029FE05A2060D3758E68EB64

Function 00513382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00513379,00512FE5), ref: 00513390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0051339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005133B7
SetLastError.KERNEL32(00000000,?,00513379,00512FE5), ref: 00513409

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 26dce32845c01c5c214d8e1fc7688b66b66c8901c97fe937decd70acd1ac0ad8
Instruction ID: a0a8070b6fc4b5b235475cdc924311636a741493aa95cee7a5bd23387908aa37
Opcode Fuzzy Hash: 26dce32845c01c5c214d8e1fc7688b66b66c8901c97fe937decd70acd1ac0ad8
Instruction Fuzzy Hash: 87012832308312BEBB143B747CED5DB2E54FB653757200729F420841F0EF516D8AA558

Function 00522D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00525686,00533CD6,?,00000000,?,00525B6A,?,?,?,?,?,0051E6D1,?,005B8A48), ref: 00522D78
_free.LIBCMT ref: 00522DAB
_free.LIBCMT ref: 00522DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0051E6D1,?,005B8A48,00000010,004F4F4A,?,?,00000000,00533CD6), ref: 00522DEC
_abort.LIBCMT ref: 00522DF2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a92bed2dc33b1d0feda63cba443cc0d394d6664814cfd7b365d309eb12d61e35
Instruction ID: e72b77b95c639c52d74d0568bcc8b4ea1226be1d6ee567c3cabd2e925fe91288
Opcode Fuzzy Hash: a92bed2dc33b1d0feda63cba443cc0d394d6664814cfd7b365d309eb12d61e35
Instruction Fuzzy Hash: C8F0C83E50463277C3122738BC0EE5B2E59BFD37A1F240928F829E21D2EE3498475270

Function 005551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00555218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00555229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00555230
ReleaseDC.USER32(00000000,00000000), ref: 00555238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0055524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00555261

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction ID: 62553dab48c5bcb0c8e40e46543be15a8df5c3cc0d58a37de8bb559c3bb5eb27
Opcode Fuzzy Hash: b0fffd8cdfed8e7b577af2c33f83dd6ca26c4f552ca8283a61674fe2a022ceb9
Instruction Fuzzy Hash: 1A014475A00715BBEB109BB69C49A5EBF78FF54751F044065FE04E7281D6709808DB60

Function 00588A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00588A4E
LineTo.GDI32(?,00000003,00000000), ref: 00588A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00588A70
LineTo.GDI32(?,00000000,00000003), ref: 00588A80
EndPath.GDI32(?), ref: 00588A90
StrokePath.GDI32(?), ref: 00588AA0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction ID: 9547a88ca9545652a6a237982ff1f3a00f2481d6423c9a792215f60bd680a802
Opcode Fuzzy Hash: 7236b957968a242e844475576cb8bb253c50305a3246931b9a6815ac9a88afbe
Instruction Fuzzy Hash: A5110976000109FFDB129F90DC88EAA7F6DEB19390F008052BE19AA1A1C7719D59EBA0

Function 004F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004F1C22

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction ID: 0108bba8de721f999fc51ef1c4afd3888e957bfd08d65140bbe2fc876ca1a7bf
Opcode Fuzzy Hash: 2c022750fd6d047b42c91e1885be1b88a31f28640a1a03b022cad67b80377421
Instruction Fuzzy Hash: 45016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A868CBE5

Function 0055EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0055EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0055EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0055EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0055EB75

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction ID: 7f565e3adc753139f8a0d5234090b01b07d85dcaea5d04c03637deee55234a8b
Opcode Fuzzy Hash: 6b58f84c9dc21935ea9d302ef6dbbb374195e7f02cf1ecc05a5380cf1fbbc918
Instruction Fuzzy Hash: 5DF06D72100118BBE62057529C0EEAB3E7CEBDAB11F001168FA01E1091E7B01A09E7B4

Function 00551874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0055187F
UnloadUserProfile.USERENV(?,?), ref: 0055188B
CloseHandle.KERNEL32(?), ref: 00551894
CloseHandle.KERNEL32(?), ref: 0055189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005518A5
HeapFree.KERNEL32(00000000), ref: 005518AC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction ID: 21a86487d4250e4f4dd1b8d955ef9b7f416c6268cfc34b7755968c2997259cfc
Opcode Fuzzy Hash: 2929cc0a530001494e787ad6556978beca4daa7026292d275b633b144cf34893
Instruction Fuzzy Hash: 22E0E536004101BBDB015FA1ED0CD0ABF39FF69B22B109624FA25A1474CB329425FF60

Function 004FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004FBEB3

Strings

D%\D%\, xrefs: 004FBCA5
D%\, xrefs: 004FBDED, 004FBD91, 004FBD1B
D%\, xrefs: 004FBE9A
D%\, xrefs: 004FBCA2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%\$D%\$D%\$D%\D%\
API String ID: 1385522511-524531416
Opcode ID: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction ID: 17efc7d9968bb4c20802f422eb2c5716171583a6fe28ac21402c0cc29c7c68f2
Opcode Fuzzy Hash: 6df645743af1e2ebe853b45ac12f16a8dde07a8e1e953b7b980b5787d9a26581
Instruction Fuzzy Hash: 64912875A0020ACFCB18CF58C090ABABBF1FF5A310F24816EDA55AB350D735A981DBD5

Function 00577B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00577BFB

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Strings

Variable must be of type 'Object'., xrefs: 00577C3A
G, xrefs: 00577C7F
5, xrefs: 00577C78
+TT, xrefs: 00577E2E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TT$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2382484226
Opcode ID: be0487ad1b31333ca58c11d192eb10ac517c20742c40513d1db1d3c17f3711f6
Instruction ID: b60833b321c9b855aa48b42e6b0201fdb109bd678d70d1280737402a86a10089
Opcode Fuzzy Hash: be0487ad1b31333ca58c11d192eb10ac517c20742c40513d1db1d3c17f3711f6
Instruction Fuzzy Hash: 32918C70A04209AFCB14EF94E895DBDBFB5FF48304F108459F81AAB291DB71AE41EB50

Function 0055C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C6EE
_wcslen.LIBCMT ref: 0055C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0055C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0055C7CA

Strings

0, xrefs: 0055C6AF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2eda6f9101925a044ed7a433bfd1fc365d4c2ec8c21552d48cd112986c47d232
Instruction ID: 563edcc0210f8fcbc6b711e486bc313215267c35cb01d3c9e55a1390a7b2f563
Opcode Fuzzy Hash: 2eda6f9101925a044ed7a433bfd1fc365d4c2ec8c21552d48cd112986c47d232
Instruction Fuzzy Hash: 0551DE716243019FD7109E28C8A4B6ABFE8FB89315F040A2EFD95E3591DB74D908CB96

Function 0057AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0057AEA3

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

GetProcessId.KERNEL32(00000000), ref: 0057AF38
CloseHandle.KERNEL32(00000000), ref: 0057AF67

Strings

@, xrefs: 0057AE72
<, xrefs: 0057AE6B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7ad244bbc2e4b58c0effb3cfa451b9eba5664422dcabcf96ce1f2f153c7d14b1
Instruction ID: e09ec90fee08128e5e0ac5b499d0817ef5f9e5ed82f434668b44f53464e5785b
Opcode Fuzzy Hash: 7ad244bbc2e4b58c0effb3cfa451b9eba5664422dcabcf96ce1f2f153c7d14b1
Instruction Fuzzy Hash: 56718974A00219DFCB14DF55D484AAEBBF4FF48318F04849AE81AAB392C778ED45DB91

Function 0055719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00557206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0055723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0055724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005572CF

Strings

DllGetClassObject, xrefs: 00557242

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction ID: b76126e1d642c7c76da98000d2b55dd3649e5973ace13e3edc723a0b21fe6dde
Opcode Fuzzy Hash: 69fe0fe3d47617963285c108e5f849d665cb7f3f66f003f54022a8b6667d2f17
Instruction Fuzzy Hash: D8419175604208EFDB15CF54D894A9A7FA9FF48311F2480AABD059F20AD7B0DA49DBA0

Function 00583D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00583E35
IsMenu.USER32(?), ref: 00583E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00583E92
DrawMenuBar.USER32 ref: 00583EA5

Strings

0, xrefs: 00583D89

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6caeb8affc5f20ccbd0adbd76d864dc7f91cd61a2c812ed890b3f7764a1252eb
Instruction ID: 0cfbfc7c5bb2b041717d032b984a2f0fd44f06a19ebbf41661babdf01cc13289
Opcode Fuzzy Hash: 6caeb8affc5f20ccbd0adbd76d864dc7f91cd61a2c812ed890b3f7764a1252eb
Instruction Fuzzy Hash: 4B414575A01209AFDF10EF60D884EAABBB9FF59754F044129ED05AB250D730AE54DF60

Function 00551DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00551E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00551E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00551EA9

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Strings

ComboBox, xrefs: 00551DF0
ListBox, xrefs: 00551E25

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3f7ae57da4044d999e7b2920fc0b091e926161783b5e898553c8a9d4565dfbb3
Instruction ID: 149b7e478923e56ebcde8551b402162c3b1300b938647e93ab05e061aeea9f5d
Opcode Fuzzy Hash: 3f7ae57da4044d999e7b2920fc0b091e926161783b5e898553c8a9d4565dfbb3
Instruction Fuzzy Hash: 77210471A00108AADB14AB65CC56EFFBFADBF41394B14412EFC25A72E0DB384D0D9624

Function 00582F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00582F8D
LoadLibraryW.KERNEL32(?), ref: 00582F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00582FA9
DestroyWindow.USER32(?), ref: 00582FB1

Strings

SysAnimate32, xrefs: 00582F68

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction ID: f9b708de27533462a715b01a900cba4b72a7ee68ec29a4f00bbaeb153f0766cb
Opcode Fuzzy Hash: c5a9df02fe4c9887fc2e10e012473548c6ccd1c11cb4537729a59cbdfc0fb73a
Instruction Fuzzy Hash: 43218871204209ABEB106F649C86EBB3FB9FF59368F100628FE50E6190D671DC51EB60

Function 00514D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002), ref: 00514D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00514DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00514D1E,005228E9,?,00514CBE,005228E9,005B88B8,0000000C,00514E15,005228E9,00000002,00000000), ref: 00514DC3

Strings

CorExitProcess, xrefs: 00514D98
mscoree.dll, xrefs: 00514D86

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction ID: 8e8f1154d2e48608115675e70f31cca0662a86be3c0858602a2d33e4f99b4d46
Opcode Fuzzy Hash: 3dbe3f3354e3da9a1ddad49dcce0e5a2888249cf655f858f6f04f44ea3811917
Instruction Fuzzy Hash: 88F03C35A40208ABEB119B90EC49BEDBFA5FF54752F0011A8B905A62A0CB705989DFA1

Function 004F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F4EAE
FreeLibrary.KERNEL32(00000000,?,?,004F4EDD,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 004F4EA8
kernel32.dll, xrefs: 004F4E94

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction ID: f690807cf26a7227823f3a3772cbac17e437c4bf32ccffed9ee5a9ed4952a67c
Opcode Fuzzy Hash: c0149ec74392b65d10fcac10dad7d4b1e71d0ca77d541319dc7379a9cda12280
Instruction Fuzzy Hash: 93E04636A02A225BD3221B25AC5CA6B6A58AFD2B63B050116AE00F2340DF788909D2B4

Function 004F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4E74
FreeLibrary.KERNEL32(00000000,?,?,00533CDE,?,005C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 004F4E6E
kernel32.dll, xrefs: 004F4E5B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction ID: 9a14434c4a2f7c895d8af7114585d2a0d1f6869e0c4647cd371256f5c67256ee
Opcode Fuzzy Hash: 193d2fcfa3e63118cc0d87c4e4df39112ef6a967635902c407ca950f88783e71
Instruction Fuzzy Hash: 1DD0C231602A215787321B247C0CE9B2E18BFC1F213450212BE00B6210CF38CD09D7F4

Function 00562947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562C05
DeleteFileW.KERNEL32(?), ref: 00562C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00562C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00562CC0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9cb474af770565f52ea64081efa2def7e7570455d07fc340f22c66cf7cdcf394
Instruction ID: 429e785b9e7b309311a6d5dc76f251f53ffe9cc49ee2de37fd634faccdb4d44c
Opcode Fuzzy Hash: 9cb474af770565f52ea64081efa2def7e7570455d07fc340f22c66cf7cdcf394
Instruction Fuzzy Hash: 38B14E7190051EABDF21DBA4CC89EEEBBBDFF48354F1040A6F609E7151EA349A448F61

Function 0057A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0057A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0057A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0057A468
CloseHandle.KERNEL32(?), ref: 0057A63D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction ID: 0d4944b50a5568cb5a6bfd4d31eafcc35c6dfcf3c98c6704e5a920cebf720cbc
Opcode Fuzzy Hash: 4570cc7dda3fec6bc2ace8cf07c660dde2d937d1d292876c966c4e790ebfab91
Instruction Fuzzy Hash: D0A1B171604301AFDB20DF24D886F2ABBE5BF84714F14881DF95A9B2D2D7B4EC418B96

Function 0055E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0055CF22,?), ref: 0055DDFD

Part of subcall function 0055DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0055CF22,?), ref: 0055DE16

Part of subcall function 0055E199: GetFileAttributesW.KERNEL32(?,0055CF95), ref: 0055E19A

lstrcmpiW.KERNEL32(?,?), ref: 0055E473
MoveFileW.KERNEL32(?,?), ref: 0055E4AC
_wcslen.LIBCMT ref: 0055E5EB
_wcslen.LIBCMT ref: 0055E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0055E650

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 64d8708f370c298b5739c7c93a00afe2a9ecdb88580ae3d2a67e41f0eb712b80
Instruction ID: 42d21bce0d76f36e74f3739dc1e954d0323b059d66057c5d1060a37aec2c96ac
Opcode Fuzzy Hash: 64d8708f370c298b5739c7c93a00afe2a9ecdb88580ae3d2a67e41f0eb712b80
Instruction Fuzzy Hash: 4D5170B24083459BDB28EB90D8959DB7BECAF84341F00091FFA89D3151EF35A68C8766

Function 0057B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 0057C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0057B6AE,?,?), ref: 0057C9B5
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057C9F1
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA68
Part of subcall function 0057C998: _wcslen.LIBCMT ref: 0057CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0057BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0057BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0057BB63
RegCloseKey.ADVAPI32(?,?), ref: 0057BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0057BBB3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 636e723bc0ca054fb11cf29ed6325cde1cfeeb1005eff7407c72918d251f66ea
Instruction ID: 4edd9fbec5908848d42e7f14501ac65a2aaa0f962e980790c8e959e2c1d62f1f
Opcode Fuzzy Hash: 636e723bc0ca054fb11cf29ed6325cde1cfeeb1005eff7407c72918d251f66ea
Instruction Fuzzy Hash: 9361CC70208241AFD314EF24D494F2ABBE5FF84348F14896DF4998B2A2CB31ED45DB92

Function 00558BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00558BCD
VariantClear.OLEAUT32 ref: 00558C3E
VariantClear.OLEAUT32 ref: 00558C9D
VariantClear.OLEAUT32(?), ref: 00558D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00558D3B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction ID: 26ce9d003480703850f1c8356541e43182678f485165bd823a4f86d2b548dd30
Opcode Fuzzy Hash: e126fc76770e39e5c252c45162991b644df177a277c0d28b8e1cf4a5361a120b
Instruction Fuzzy Hash: 61515C75A00219DFCB14CF58C894AAABBF5FF89311B15855AED05EB350E730E915CF90

Function 00568AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00568BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00568BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00568C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00568C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00568C5F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4dd93667766f9c0c3e786b4aa36a5707441753cb6e75a7d5999ac1989fca49a5
Instruction ID: 477fc86e2db75fafc40318e5588a4043989118aa0b06d528dedb868f1b0999cc
Opcode Fuzzy Hash: 4dd93667766f9c0c3e786b4aa36a5707441753cb6e75a7d5999ac1989fca49a5
Instruction Fuzzy Hash: 7F515E35A00219AFDB10DF65C880E6DBBF5FF48318F088459E949AB3A2CB35ED45DB90

Function 00578EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00578F40
GetProcAddress.KERNEL32(00000000,?), ref: 00578FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00578FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00579032
FreeLibrary.KERNEL32(00000000), ref: 00579052

Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00561043,?,753CE610), ref: 0050F6E6
Part of subcall function 0050F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0054FA64,00000000,00000000,?,?,00561043,?,753CE610,?,0054FA64), ref: 0050F70D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction ID: 71a1ca250450c34929f054c37151a61a8cec3e4d48caecc1b24f4a05a55a754f
Opcode Fuzzy Hash: 302da5569da81dc623c0974684cdcf7fc2a3621a1e2f0dd5b1f41fd61c3f8e03
Instruction Fuzzy Hash: EC513934600205DFCB11DF59D4989ADBFB1FF49358B048099E90AAB362DB35ED85DB90

Function 00586B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00586C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00586C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00586C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0056AB79,00000000,00000000), ref: 00586C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00586CC7

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction ID: 30808ce010c0f33b9125a5735e965253125879a34523c27a913fe1e332e2badc
Opcode Fuzzy Hash: 6984522041f6db56d2cbf398ec3a2e81877277532741cff8644336651c57f527
Instruction Fuzzy Hash: 3941AD35A04104AFDB24EF28CC58FA97FA5FB09360F140628EC99BB2A0C371ED41DB50

Function 00522051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005220C3
_free.LIBCMT ref: 005220E3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction ID: f4781d595fa8fc89f164460b4941c9345e4d6d6b73dd781d4daaea7e9faa1559
Opcode Fuzzy Hash: a2a8c313701d4dd797082f499640ab7e0bcd8984138f543abb3326eda9cc149a
Instruction Fuzzy Hash: CF41D23AA00214AFDB24DF78D885A5DBBA5FF8A314F154568E615EB391DB31AD01CB80

Function 0050912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00509141
ScreenToClient.USER32(00000000,?), ref: 0050915E
GetAsyncKeyState.USER32(00000001), ref: 00509183
GetAsyncKeyState.USER32(00000002), ref: 0050919D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction ID: 2f35a03a06683654078966e83e2f939d95ea87ac7a514596f36af43defc554d8
Opcode Fuzzy Hash: 51e8be190fc1990ddc89e3ac8e07527eaf4fc79e3fe34a6ce6a412d7041e7ec6
Instruction Fuzzy Hash: D0415C71A0860BBBDF159F64C848BEEBF74FF49324F208219E829A62D5C7306954DB91

Function 00563874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00563922
TranslateMessage.USER32(?), ref: 0056394B
DispatchMessageW.USER32(?), ref: 00563955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00563966

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction ID: 68bf4082ccd283e59088f9ba99942beb67c4fc914019c57b5fb0c95ea3d73d3b
Opcode Fuzzy Hash: c0ea7a74d075069cef0dc2ed41d89bfa861765ffa7ed355694edf96ad42e74a5
Instruction Fuzzy Hash: 49318670504B429EEB35CF34D849FB63FA8FB26304F14096DE452931A1E7B49A89DF25

Function 00551901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00551915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005519E2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction ID: 0afe55da1736b3f2618e5a6e461c9c7b35318191e0ce691b12caabcc9db06ce3
Opcode Fuzzy Hash: dcdd52c3bead9f19e13a0f033d6f278c565dfd9854448cefda15aae1489c8b70
Instruction Fuzzy Hash: 68319E71A00219EFCB00CFA8C9A9B9E7FB5FB54315F10422AFD21AB2D1C7709948DB90

Function 0056CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0056CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0056C21E,00000000), ref: 0056CFF2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b2b305b4783447a73d6bc6a5731ca975805e927320ec6394f29d378cfc338b84
Instruction ID: a3c3e3736d196e2cb22d37e4d98ceaf3b2d72fd6f11cd0efd7d1104fcfc96876
Opcode Fuzzy Hash: b2b305b4783447a73d6bc6a5731ca975805e927320ec6394f29d378cfc338b84
Instruction Fuzzy Hash: B8314B71600206EFDB20DFA5D8889BBBFF9FB54354B10442EF556E3241DB30AE459B60

Function 00570930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00570951
GetForegroundWindow.USER32 ref: 00570968
GetDC.USER32(00000000), ref: 005709A4
GetPixel.GDI32(00000000,?,00000003), ref: 005709B0
ReleaseDC.USER32(00000000,00000003), ref: 005709E8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction ID: 05dee59f52bd6391c9b355af96a6d51d57df055b0b79ba976afef32de0fab01d
Opcode Fuzzy Hash: 611e2b847e00976160a8b5fdb50c684a6275260868f6f32dbb44374ff15f09da
Instruction Fuzzy Hash: 0A216F35600204AFD704EF69D989AAEBFE9FF44744F04846DE94AA7352DB34EC04DBA0

Function 0052CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0052CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052CDE9

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052CE0F
_free.LIBCMT ref: 0052CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052CE31

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction ID: c2bc17351f399ea153f88ef2a3da253a5ab2eff20b79b509e8d2a8365f1d603d
Opcode Fuzzy Hash: 84b5979bb748b308159142f0e9b6c34910f250f83c5ae5c9a1532d1c22e20eac
Instruction Fuzzy Hash: D00171726026257F232216B67C8CD7F6D6DFEC7BA13160129FD05D7282EA618D0292B1

Function 00509639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
SelectObject.GDI32(?,00000000), ref: 005096A2
BeginPath.GDI32(?), ref: 005096B9
SelectObject.GDI32(?,00000000), ref: 005096E2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction ID: 231c686cba4ba4845116f9d5952e632df4777b305d82ca84f5cbcf3aaea1edd9
Opcode Fuzzy Hash: d5e0b9fb64b79f1affe53c2cf826b1d974f73fa09b92df0b83950c58ef9cb0c9
Instruction Fuzzy Hash: 9C217170801B09EFDB119F64EC08BAD3FB4BB61755F100215F811A71E6D3719859EB98

Function 00555711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00555726
_memcmp.LIBVCRUNTIME ref: 00555744
_memcmp.LIBVCRUNTIME ref: 00555757
_memcmp.LIBVCRUNTIME ref: 0055576F
_memcmp.LIBVCRUNTIME ref: 00555787

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction ID: 83f66314ef1f3781c7ee3c7db95d920a5e93d553dd51a06292bc6e261a8e9c0a
Opcode Fuzzy Hash: 2cc3f02c4fdae2c561e510510b075cef5fa72baab72a14ff1d45b7cc738574a3
Instruction Fuzzy Hash: 8001F961251A09BBE20861119D72FFB7F5CFB683D6F100422FE05AA241F720EE5483A4

Function 00522DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0051F2DE,00523863,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6), ref: 00522DFD
_free.LIBCMT ref: 00522E32
_free.LIBCMT ref: 00522E59
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E66
SetLastError.KERNEL32(00000000,004F1129), ref: 00522E6F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38db5272b1a93979a5512a470a485ccb936f926015f106e9aebe0e9d4c62717e
Instruction ID: 02ec73fc5d1332297306b8ee470aef436bb893bb9e0b778f5f08cbf6d6054110
Opcode Fuzzy Hash: 38db5272b1a93979a5512a470a485ccb936f926015f106e9aebe0e9d4c62717e
Instruction Fuzzy Hash: 2B01D13E205621BB861227787C4AD3B2E5DBFE73A1F224928F825A21D2EE748C056120

Function 0055000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?,?,0055035E), ref: 0055002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?), ref: 00550064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0054FF41,80070057,?,?), ref: 00550070

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction ID: d9b53a5fa9ee7ddf9c5f928cc394796dcdae82dd35ad3c4b96821c16a5ab9814
Opcode Fuzzy Hash: 41a83b1a1a3158aa04227c76a2956a14f8629e42c1f85aba4b6ce6886bff8a6a
Instruction Fuzzy Hash: C2018F72600204BFDB104F69DC08BAA7EADFB44752F546125FD05E22A0D771DD48ABA0

Function 0055E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0055E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0055E9A5
Sleep.KERNEL32(00000000), ref: 0055E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0055E9B7
Sleep.KERNEL32 ref: 0055E9F3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction ID: 04bd6edc157cde6116a4bdcee8c13953b7344567f8c6edd425b3cc92676cc77c
Opcode Fuzzy Hash: b88d9c85624ef431dfd0335e984c40ddd38912ae5f171a37762fb5b39ab0635f
Instruction Fuzzy Hash: 1B015731C01629DBCF04ABE4D8AEAEDBF78BB19302F000546E912B2241DB309658DBA1

Function 005510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00551114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 0055112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00550B9B,?,?,?), ref: 00551136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0055114D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction ID: 5b2725359efb55ab53947f88874cb069b1ee316aaa74f588aa953cc7fec72183
Opcode Fuzzy Hash: b5db23affd37ea1193ac919f1dddf6ba48911c9327bc1710e57a70590e2de36a
Instruction Fuzzy Hash: 5B014675200605AFDB114BA4EC89A6A3F6EEF893A1B210459FE41E2260DB31DC04EB70

Function 00551014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction ID: 5773515caa62e809d2da9054621dceb4f1d119d9dc93fb7bdfd0ea5bdb50c81a
Opcode Fuzzy Hash: 4b8e13848fdb19141faacec7786e2a7f1de7c281878ef122da1f26233ca14b28
Instruction Fuzzy Hash: 54F03735200711EBDB215FA6EC9DF5A3FADFF99662F200415FE45AA2A0CA70D8449B70

Function 0056030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560324
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560331
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056033E
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 0056034B
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560358
CloseHandle.KERNEL32(?,?,?,?,0056017D,?,005632FC,?,00000001,00532592,?), ref: 00560365

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction ID: 9157d27f7e4dbd0bbd68af61d6ce7f3e1817db4d7f0669fd80b972a19ebf4e88
Opcode Fuzzy Hash: fbc15be1e9ee5505ed70a464ce56c79526ba6c59d1fbffcfdbd477edad50e6c5
Instruction Fuzzy Hash: 0101DC72900B118FCB30AF66D880803FBF9BE602063049E3ED19252A70C3B0A988DF80

Function 0052D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0052D752

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 0052D764
_free.LIBCMT ref: 0052D776
_free.LIBCMT ref: 0052D788
_free.LIBCMT ref: 0052D79A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction ID: 37288e8e8b338178870eebea87e7eccfea11a61d0c48984fafa14317ee63cafa
Opcode Fuzzy Hash: a1e88271189b3584d8f16097a959608470c007d38ba735cace81bd5f62ddf1b4
Instruction Fuzzy Hash: D0F03C32504625AB8661EB64F9C5D167FEDFF4A310BA80C05F049D7582C728FCC08674

Function 00555C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00555C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00555C6F
MessageBeep.USER32(00000000), ref: 00555C87
KillTimer.USER32(?,0000040A), ref: 00555CA3
EndDialog.USER32(?,00000001), ref: 00555CBD

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction ID: d364d5b26de1b84db588f2830b16cafc53d0dfd136d1c89cf1163a96eca241be
Opcode Fuzzy Hash: d0ec61a17feb230a8063301f0a93249d6333ec81ff96e7864a149fb5f5f7a0fa
Instruction Fuzzy Hash: 6B018B305007049BEB205B15DD6EFA57FB8BF10706F00156AA953B14E1E7F46D4C9B50

Function 005222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005222BE

Part of subcall function 005229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000), ref: 005229DE
Part of subcall function 005229C8: GetLastError.KERNEL32(00000000,?,0052D7D1,00000000,00000000,00000000,00000000,?,0052D7F8,00000000,00000007,00000000,?,0052DBF5,00000000,00000000), ref: 005229F0

_free.LIBCMT ref: 005222D0
_free.LIBCMT ref: 005222E3
_free.LIBCMT ref: 005222F4
_free.LIBCMT ref: 00522305

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction ID: 991bb1a067fc17ad9979c32a9a8ad53962ae4240f4e0492523a9749bc4c1a63e
Opcode Fuzzy Hash: 1cad38b2f35d1456ef4aaf90c06edf01498af6e67d65782b2c6d8721df60b5e9
Instruction Fuzzy Hash: 61F01D7E800932AF8612AF54BC05C483F64FB3A751B41160AF418D22F2C73514D5BAA8

Function 005095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005095D4
StrokeAndFillPath.GDI32(?,?,005471F7,00000000,?,?,?), ref: 005095F0
SelectObject.GDI32(?,00000000), ref: 00509603
DeleteObject.GDI32 ref: 00509616
StrokePath.GDI32(?), ref: 00509631

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction ID: 4f521d53bcd5723f6a2d97a6f9c515483fa6616c5982466dd4c240c1f900550d
Opcode Fuzzy Hash: 4cf92d1122fbce94cbc6bf74944575d24676dcc19b78bac3be0156763d9d60f0
Instruction Fuzzy Hash: 49F03C30005E08EFDB525F65ED1CB683F61BB22362F048214F825650F2C73189A9FF28

Function 00520F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005210F9
__freea.LIBCMT ref: 00521117

Part of subcall function 00521537: _free.LIBCMT ref: 0052154F

Strings

a/p, xrefs: 005211DE
am/pm, xrefs: 0052117A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction ID: 5961793179dbf644691af7fe18d1e5abf505e9a6fc7ea462c5bd2795a3b77847
Opcode Fuzzy Hash: e42d355f466611826be57ef3bb4f10f0e7361a8ecb662a167520957b3a33c7da
Instruction Fuzzy Hash: 6DD1E335900A26DBDB24CF68E8896BBBFB2FF37310F240959E5019B6D0D2359D81CB59

Function 005761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00510242: EnterCriticalSection.KERNEL32(005C070C,005C1884,?,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051024D
Part of subcall function 00510242: LeaveCriticalSection.KERNEL32(005C070C,?,0050198B,005C2518,?,?,?,004F12F9,00000000), ref: 0051028A

Part of subcall function 005100A3: __onexit.LIBCMT ref: 005100A9

__Init_thread_footer.LIBCMT ref: 00576238

Part of subcall function 005101F8: EnterCriticalSection.KERNEL32(005C070C,?,?,00508747,005C2514), ref: 00510202
Part of subcall function 005101F8: LeaveCriticalSection.KERNEL32(005C070C,?,00508747,005C2514), ref: 00510235

Part of subcall function 0056359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005635E4
Part of subcall function 0056359C: LoadStringW.USER32(005C2390,?,00000FFF,?), ref: 0056360A

Strings

x#\, xrefs: 00576353
x#\, xrefs: 0057636F
x#\, xrefs: 0057633A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#\$x#\$x#\
API String ID: 1072379062-1758250086
Opcode ID: a92c35333dc577c9445eae2ebd434046b473125935731f53da880e82fd94258c
Instruction ID: 13a5e13e8e00ca8249c6e7323a7b12d56b772d94d2acffe84785847ced4e330d
Opcode Fuzzy Hash: a92c35333dc577c9445eae2ebd434046b473125935731f53da880e82fd94258c
Instruction Fuzzy Hash: C7C19371A0050AAFCB14DF98D895EBEBBB9FF48300F148469F9099B291DB70ED45DB90

Function 00525AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOO, xrefs: 00525BA8, 00525C6C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: JOO
API String ID: 0-332324559
Opcode ID: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction ID: 9e8eef30e6ca0bbc4c7287468706ea3a9acd8cdd8ae8bd90ff558789fc7797b1
Opcode Fuzzy Hash: 3aa16df302615e315110e76043f0e083397f7a9caf1e75ff64c77b475fbf05ff
Instruction Fuzzy Hash: 3F51CF75E0062AAFDB219FA4E849EEEBFB8BF86310F140419F405B72D1F6319D419B61

Function 00528A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00528B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00528B7A
__dosmaperr.LIBCMT ref: 00528B81

Strings

.Q, xrefs: 00528A63

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .Q
API String ID: 2434981716-3049930668
Opcode ID: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction ID: bbd51590d99576c244dd911ebf38b6bc388bb0d8aa600dc96099afbdbed7be25
Opcode Fuzzy Hash: d4604b0b6e571cd9d71ff27874684737e20028e9cfda745ca2464129824c2521
Instruction Fuzzy Hash: A0418C70605065AFDB249FA4EC85A797FA5FF87310F2845ADF895876C2DE318C029790

Function 00552716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0055B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521D0,?,?,00000034,00000800,?,00000034), ref: 0055B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00552760

Part of subcall function 0055B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0055B3F8

Part of subcall function 0055B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0055B355
Part of subcall function 0055B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B365
Part of subcall function 0055B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00552194,00000034,?,?,00001004,00000000,00000000), ref: 0055B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0055281A

Strings

@, xrefs: 00552832

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction ID: ad670d302e20d11d122f9ff2c71dcbab102e7f0e51691a468baee6e6253a0940
Opcode Fuzzy Hash: 4a5bd50673a57653d49ecd91eea445f71a45addba7effd94bb5a6ab129fb60ad
Instruction Fuzzy Hash: C3413C72900219BFDB10DBA4CD95AEEBBB8FF49300F10405AFA55B7181DB706E49CBA1

Function 0052172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00521769
_free.LIBCMT ref: 00521834
_free.LIBCMT ref: 0052183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00521760, 00521767, 00521796, 005217CE

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction ID: 34bed8f827c99fde71392f278419a59f0a1df15347474c743e19b01f9a304b9b
Opcode Fuzzy Hash: ce29cbd838ee322d1c55cc057d39282492a36cb593890da2e14aa1fa376f3a5d
Instruction Fuzzy Hash: B6319379A00A28AFDB11DB99A885D9FBFBCFFA6310F144166E40497251D6708A40D794

Function 0055C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0055C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0055C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005C1990,00F3DB18), ref: 0055C395

Strings

0, xrefs: 0055C2DF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction ID: 45d32b930bfccaca9fdf10ee222f150f5d75d8d6156cf342c3e611a11620638d
Opcode Fuzzy Hash: e09bf993125fea049a0706debf579507ee3b44efcfede3df11d1efa9ff6cb34e
Instruction Fuzzy Hash: DF418E312043069FDB20DF25D894B6ABFE4BF85321F158A1EFDA597291D730A908CB62

Function 00584416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0058CC08,00000000,?,?,?,?), ref: 005844AA
GetWindowLongW.USER32 ref: 005844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005844D7

Strings

SysTreeView32, xrefs: 0058447C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction ID: 549f8127dc2d868a157377fce8241e639109597a97c8dc086060b9ddd9459e5e
Opcode Fuzzy Hash: 30ae22fd57acff09e1404a3f8a6a927645671c2ac61542d39fa7db7db3594a7c
Instruction Fuzzy Hash: 59317C31210606AFDF20AE78DC45BEA7BA9FB49324F204725FD75A21E1D770AC509B60

Function 00556E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00556EED
VariantCopyInd.OLEAUT32(?,?), ref: 00556F08
VariantClear.OLEAUT32(?), ref: 00556F12

Strings

*jU, xrefs: 00556E8B, 00556E90, 00556EF8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jU
API String ID: 2173805711-1317551218
Opcode ID: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction ID: 0b372dc8b13ddb610d7439a1ef58879432e545352e43ae7d554bb816539ef78a
Opcode Fuzzy Hash: 174df69d5a610740252549747dd97a0117b8f0ce579901fd4f3e100caecafec4
Instruction Fuzzy Hash: 3831C771A04289DFCB04AF65E8619BD3B76FF85305B50085EFD024B2B1C7349959DBE4

Function 0057304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0057335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00573077,?,?), ref: 00573378

inet_addr.WSOCK32(?), ref: 0057307A
_wcslen.LIBCMT ref: 0057309B
htons.WSOCK32(00000000), ref: 00573106

Strings

255.255.255.255, xrefs: 00573095, 0057309A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction ID: 45467ca2f1274bd04d312d5f511df5c264b68714cd5ff066d602c96070597707
Opcode Fuzzy Hash: a7899dd2439de73536c7d4e952f25e5c4e6b4706991d36dec0f93656b2c48689
Instruction Fuzzy Hash: EF31D5396002059FC710DF29D489EA97FE0FF54328F64C459E9198B3A2D771EE45EB60

Function 00583EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00583F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00583F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00583F78

Strings

SysMonthCal32, xrefs: 00583F0B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4634cd9891a63332137164cfb5c822c9f083e3241e0740418eaad39f2af92e0d
Instruction ID: 58b357cb0a6eeb5b1111ce2cec81ea61e1f2a2728dec6fda2bf2703700c00075
Opcode Fuzzy Hash: 4634cd9891a63332137164cfb5c822c9f083e3241e0740418eaad39f2af92e0d
Instruction Fuzzy Hash: 6821CA32600219BBDF219E50CC46FEA3F79FF88B14F110214FE057B180DAB5A8548BA0

Function 00584653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00584705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00584713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0058471A

Strings

msctls_updown32, xrefs: 00584684

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction ID: d2f64de8b2cb16923bf58984bd300227055f23f126550e78f8e4ab8fa271b703
Opcode Fuzzy Hash: 1399bc825b749d850578131b9fbcd129035f9aebcf892f413148de33f401434b
Instruction Fuzzy Hash: F5217FB5600209AFDB10EF68DC85DB63BADFB9A358B000059FE01EB251DB30EC12DB60

Function 005595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0055961D

Strings

#notrayicon, xrefs: 005595B7
#requireadmin, xrefs: 005595D9
#OnAutoItStartRegister, xrefs: 005595F3

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 241defd7392bbea98f7c0fb24c9d0c3cadb23a9ef697e983ba16aad9aa07bcfc
Instruction ID: bb8a85d611b72516d52c6710791793ecc63c19d1cc863ab633287d736b3821ef
Opcode Fuzzy Hash: 241defd7392bbea98f7c0fb24c9d0c3cadb23a9ef697e983ba16aad9aa07bcfc
Instruction Fuzzy Hash: 02214332204211A6E731AA24D826FBB7B98BFA4311F44442BFE4997081EB58AD9DC3D5

Function 005837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00583840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00583850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00583876

Strings

Listbox, xrefs: 0058380F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction ID: 7908fe957dc89b9e4167ab7f6aa0e108e668f3fe58aa231b4b61fffea9c5ebaa
Opcode Fuzzy Hash: 9dc7c8bf3edd88ecd952e07de6a300878a469247972f564fcfa3b568e2ddc78e
Instruction Fuzzy Hash: D221B072610118BBEF119F54CC45EBB3B6EFF89B54F118124FD00AB190CA71DD528BA0

Function 005649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00564A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00564A5C
SetErrorMode.KERNEL32(00000000,?,?,0058CC08), ref: 00564AD0

Strings

%lu, xrefs: 00564A6F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction ID: d72ae9fe4c6331f4e3185c701582a4c30938d2930c4ad875c541f449b107ae17
Opcode Fuzzy Hash: 63dc03e2afedb300bd65f01f8c22b45d3ceab701c8298365787d596e0a5e4ec0
Instruction Fuzzy Hash: 2A313E75A00209AFDB10DF64C885EAA7BF9FF48308F1480A9E909EB252D775ED45CB61

Function 005841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0058424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00584264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00584271

Strings

msctls_trackbar32, xrefs: 00584226

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction ID: 93091f66680e6c0dd835ee2f414e23f83ab57b505ce7f684dc8f719dc8cfcfae
Opcode Fuzzy Hash: 4238134bca26684249158117794710e81eb2fdd931a2c297d1735a603a071e74
Instruction Fuzzy Hash: 3611C131244209BEEF20AE29CC06FAB3BACFF95B54F110524FE55F6090D671D8219B20

Function 00552F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

Part of subcall function 00552DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
Part of subcall function 00552DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
Part of subcall function 00552DA7: GetCurrentThreadId.KERNEL32 ref: 00552DDD
Part of subcall function 00552DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

GetFocus.USER32 ref: 00552F78

Part of subcall function 00552DEE: GetParent.USER32(00000000), ref: 00552DF9

GetClassNameW.USER32(?,?,00000100), ref: 00552FC3
EnumChildWindows.USER32(?,0055303B), ref: 00552FEB

Strings

%s%d, xrefs: 00552FFF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction ID: e1250dbe2dddbdc0a38dd38fe08c224b9def11318620e9d003d868cff72c60fe
Opcode Fuzzy Hash: 824821f81afdb5c522bd8157098137e61f6c5703ff7fb812375e56da87679a0c
Instruction Fuzzy Hash: DE11A5716002196BCF54BF658C99EED3F6ABF94305F044076BD09AB192DE30594D9B70

Function 0055007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction ID: 1920e79813fbca3741fe8a4967be61043b7a652dfa6324b9ccdd30e30aa08a37
Opcode Fuzzy Hash: c0b8b46d8c7555de6fe7dfa797c4df44976cfc567196fcc0cdb3814f5b1d7b0c
Instruction Fuzzy Hash: E0C19E75A00206EFCB14CF94C8A4EAEBBB5FF48315F219599E805EB291D730ED45DB90

Function 0057342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00573459
CoUninitialize.OLE32 ref: 00573463
VariantInit.OLEAUT32(?), ref: 0057346E
VariantClear.OLEAUT32(?), ref: 0057371B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 1080e3457362ee6e7066fae1289a1206701ba8486fcb497ec489cf05c8a8b5ea
Instruction ID: dae02da31492058f1bbb572c8932ea78b2cf292ec6d52702846cf168ddff5176
Opcode Fuzzy Hash: 1080e3457362ee6e7066fae1289a1206701ba8486fcb497ec489cf05c8a8b5ea
Instruction Fuzzy Hash: 63A18E75204305AFC700DF25D485A2ABBE5FF88724F04885DF98A9B362DB34EE05DB55

Function 00550436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 005505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0058FC08,?), ref: 00550608
CLSIDFromProgID.OLE32(?,?,00000000,0058CC40,000000FF,?,00000000,00000800,00000000,?,0058FC08,?), ref: 0055062D
_memcmp.LIBVCRUNTIME ref: 0055064E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 771802ca585791a0997fb488500cbe2696b1be3d65cc36a86cf9b23cd6189399
Instruction ID: 875153ce3094038dad34bb64abeced8f4b5acfe71be9b77f6bbb1ffbb7325dab
Opcode Fuzzy Hash: 771802ca585791a0997fb488500cbe2696b1be3d65cc36a86cf9b23cd6189399
Instruction Fuzzy Hash: E0810071900109EFCB04DF94C994DEEBBB9FF89315F104559E916AB250DB71AE0ACF60

Function 0057A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0057A6BA

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0057A79C
CloseHandle.KERNEL32(00000000), ref: 0057A7AB

Part of subcall function 0050CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00533303,?), ref: 0050CE8A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 1f8a093b2ffb7d9dbeadfd6a7f7a421d1b92f704c1475cb0ea10afdccd05c45d
Instruction ID: b56daccf3dfc874434f98a2c985e734aee6160d762e42d511dcd12a8e970f7fe
Opcode Fuzzy Hash: 1f8a093b2ffb7d9dbeadfd6a7f7a421d1b92f704c1475cb0ea10afdccd05c45d
Instruction Fuzzy Hash: C4515D715083059FD710EF25D886A6FBBE8FF89754F00891EF58997291EB34D904CB92

Function 00531391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005314C0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd038424b4737c9e658c74b38a6f24763c12cca09e60ec098f59603cd2e885db
Instruction ID: a520121f953732c098a55324d7c80fea5dfd94648feff05b2f88fd6fdfdf7ab2
Opcode Fuzzy Hash: bd038424b4737c9e658c74b38a6f24763c12cca09e60ec098f59603cd2e885db
Instruction Fuzzy Hash: 63417C35A00912ABEF217BBC9C4A6BE3FA5FF82330F144625F429D22D2FA3048815775

Function 00586278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005862E2
ScreenToClient.USER32(?,?), ref: 00586315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00586382

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction ID: 0b53c86be15322f4578c6cc0208d47844c5906e5f9e17852c3653a6257fa53cb
Opcode Fuzzy Hash: ac1c0cd86e1326048f716f6c21e9086121607a2419d91b3b8a8ae1bd1967396e
Instruction Fuzzy Hash: 92512A74A00609EFDF10EF68D880AAE7BB5FF55360F108569F955AB2A0DB30ED41DB50

Function 00571AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00571AFD
WSAGetLastError.WSOCK32 ref: 00571B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00571B8A
WSAGetLastError.WSOCK32 ref: 00571B94

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction ID: d9bcc3985e0c5b7facb24e2c3fff8e310e9942524b043512e8a9ec3c75d01537
Opcode Fuzzy Hash: 7a41fed85caecc07102f11de8e1dcde679ede90372c65ca3865fdc7ec87997c4
Instruction Fuzzy Hash: 3C419E34600600AFE720AF25D886F3A7BE5AB44718F54C48DFA1A9F2D3D776ED418B94

Function 0052B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction ID: 68f63b80d0606c9dc566ebeebf3df4fac5ed4ca049c98a1e186c7050fef23978
Opcode Fuzzy Hash: 0e37b1b18ba06d383d01a50ee2e621719f90ef468cf17587c8482b7193fb8e2c
Instruction Fuzzy Hash: AC41F675A00614AFEB24AF38DC85BAA7FAAFF85710F10452AF551DB2C2D37199418780

Function 005656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00565783
GetLastError.KERNEL32(?,00000000), ref: 005657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005657FA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction ID: 1d93297c174ea20edb8c7c1ffd79501508a499b04c39730ffdab968fd2d5b061
Opcode Fuzzy Hash: b6407f1b22ed03b4cf45c0917954ada580e13941d70aaddf186173a73ceab782
Instruction Fuzzy Hash: 2B415E39200615DFCB10DF15C544A2DBBE2FF89368B188489ED4AAB762DB78FD04CB95

Function 0052D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00516D71,00000000,00000000,005182D9,?,005182D9,?,00000001,00516D71,?,00000001,005182D9,005182D9), ref: 0052D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0052D9AB
__freea.LIBCMT ref: 0052D9B4

Part of subcall function 00523820: RtlAllocateHeap.NTDLL(00000000,?,005C1444,?,0050FDF5,?,?,004FA976,00000010,005C1440,004F13FC,?,004F13C6,?,004F1129), ref: 00523852

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction ID: 4f442d19ccfc309a5fa0f20528235e7c44c2e3beb25fef0df652b9bfdc3ebeee
Opcode Fuzzy Hash: 7d0e7075d475ace9dd7a9c295015dc23b050bdc5dfc87db54f09a3b80125b807
Instruction Fuzzy Hash: F3319F72A0021AABDB24DF64EC85EAE7FB5FF42350F154168FC0496290EB35DD94CBA0

Function 005852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00585352
GetWindowLongW.USER32(?,000000F0), ref: 00585375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00585382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005853A8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction ID: f04d945162cc56a362024a71381401ff2972102066a3c5e5418604f9c4116eda
Opcode Fuzzy Hash: 7f2cac309be4840e0f34738fbaab983466a09c44cb8fcbd4c34d8f834e129ded
Instruction Fuzzy Hash: 9831AF34A55E08BFEB21AE14CC06FE83F65BB05391F984901BE11B61E1EBB49E40AB51

Function 0055AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0055ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0055AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0055AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0055ACC6

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction ID: 92dbdae140ea5f88f85c4ca9eec973da9d6db041ea8cefd54ce0bd92330bed89
Opcode Fuzzy Hash: 1f70528852b32140545a6cf3d2998b2fc49da4e238a3f10387678a2fa354eebe
Instruction Fuzzy Hash: 43311430A00218AFFF25CB6988297FA7FA5BB89312F04471BFC85961D0D3748D8D9762

Function 00587674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0058769A
GetWindowRect.USER32(?,?), ref: 00587710
PtInRect.USER32(?,?,00588B89), ref: 00587720
MessageBeep.USER32(00000000), ref: 0058778C

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction ID: ed8150770d706fbb0f8e593bd3a34f3118729fb27b01c58f44b2d5f407ecde33
Opcode Fuzzy Hash: dd74bcd46a22f3c7b9ad854e2cfd193247b9aa422eca746ae86a5460aa24c582
Instruction Fuzzy Hash: 9F419A34A056199FCB01EF58C894EA9BFF4FB5E300F2840A8EC14EB261D330E945DB90

Function 005816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005816EB

Part of subcall function 00553A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00553A57
Part of subcall function 00553A3D: GetCurrentThreadId.KERNEL32 ref: 00553A5E
Part of subcall function 00553A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005525B3), ref: 00553A65

GetCaretPos.USER32(?), ref: 005816FF
ClientToScreen.USER32(00000000,?), ref: 0058174C
GetForegroundWindow.USER32 ref: 00581752

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction ID: 8da59a442fae849ad2424951b78087e5fe4a937d02001729b057de3e9d0230b5
Opcode Fuzzy Hash: 9dfa36b149f99eac205410f3618c63716ec09ff27af1abaf9e80b4bb2e77a9dc
Instruction Fuzzy Hash: 5B313275D00149AFCB00EFAAC885CAEBBFDFF48304B50406EE515E7251D6359E45CBA5

Function 0055DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

_wcslen.LIBCMT ref: 0055DFCB
_wcslen.LIBCMT ref: 0055DFE2
_wcslen.LIBCMT ref: 0055E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0055E018

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 786de706e13d4fd6d91df6e20181662c957371fd22901efea6eabe911520733b
Instruction ID: 58e63ed69c854793f8318fdc534195463cd6d310de355c53260bbe5ccfbefa9a
Opcode Fuzzy Hash: 786de706e13d4fd6d91df6e20181662c957371fd22901efea6eabe911520733b
Instruction Fuzzy Hash: BA21A672900215AFDB20EFA4D986BAEBFF8FF85750F144065E905BB281D6749E40CBB1

Function 0055D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0058CB68), ref: 0055D2FB
GetLastError.KERNEL32 ref: 0055D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0055D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0058CB68), ref: 0055D376

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction ID: 3bc1c02859acefb2140bc40a0d728527d7ee38f2c1c9bc08a853ffe69248277d
Opcode Fuzzy Hash: c53669599eebda37427641ac09ad7a06d8f4a1f5413e0050ae64f34b94de3512
Instruction Fuzzy Hash: 31219E755052019FC320EF29C89186ABBE4BF55369F104E1EF899D32A1DB30D909CBA3

Function 00551571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0055102A
Part of subcall function 00551014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00551036
Part of subcall function 00551014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551045
Part of subcall function 00551014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0055104C
Part of subcall function 00551014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00551062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005515BE
_memcmp.LIBVCRUNTIME ref: 005515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00551617
HeapFree.KERNEL32(00000000), ref: 0055161E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction ID: cf5c7790f663272833bb712692ea3b365b3cbcbe963c916c4eddb64b3246102b
Opcode Fuzzy Hash: 4751667e5396027b4a1f6d8808bf1c124b57ca1e6c49c9a5d42a45ebdbca0378
Instruction Fuzzy Hash: FC216B31E40509AFDF10DFA4C959BEEBFB8FF44345F08445AE851AB241E730AA09DB64

Function 00588FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetCursorPos.USER32(?), ref: 00589001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00547711,?,?,?,?,?), ref: 00589016
GetCursorPos.USER32(?), ref: 0058905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00547711,?,?,?), ref: 00589094

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction ID: cdb92b26bd29e30cf67832eadd7883d36d2622b674a9da960dd413eb2f6273df
Opcode Fuzzy Hash: e270f83bc65321be755c81f87a224a131b18668a68524464eb0598d90ec33ed6
Instruction Fuzzy Hash: 70219F35600418EFCB259F94CC59EFA7FB9FB8A350F184065FD066B2A2C3319950EB60

Function 00582782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0058280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00582832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00582840

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 645c3a3ff539fa920371e97c4e9339d39fcd838cc64027de32cd6a0bf22dd593
Instruction ID: 7b639ed9ac99ffc1b02d31adef91c65be96053eb038502a52febd480a6c4adbb
Opcode Fuzzy Hash: 645c3a3ff539fa920371e97c4e9339d39fcd838cc64027de32cd6a0bf22dd593
Instruction Fuzzy Hash: F221B035204215AFDB14AB25C844FAA7F95FF85328F148159F826DB6E2C775EC42CBA0

Function 005578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00558D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558D8C
Part of subcall function 00558D7D: lstrcpyW.KERNEL32(00000000,?,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00558DB2
Part of subcall function 00558D7D: lstrcmpiW.KERNEL32(00000000,?,0055790A,?,000000FF,?,00558754,00000000,?,0000001C,?,?), ref: 00558DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557923
lstrcpyW.KERNEL32(00000000,?,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00558754,00000000,?,0000001C,?,?,00000000), ref: 00557984

Strings

cdecl, xrefs: 0055797B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 598301053398086c3ee177f04e4ec4360ee4d5245ba90eb1a001f40be0830f59
Instruction ID: 8a5c382b979ac85179ed41cc92acd27e16c4cc992dd098fe7efd355d63bbb54f
Opcode Fuzzy Hash: 598301053398086c3ee177f04e4ec4360ee4d5245ba90eb1a001f40be0830f59
Instruction Fuzzy Hash: A811063A200246ABDB159F35D858E7A7BB9FF99351B00402BFC02C72A4EB319805D7A1

Function 00587CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00587D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00587D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00587D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0056B7AD,00000000), ref: 00587D6B

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a9e710797ce6d2cba1ec8163c0f059f5a0ac46983f0a820241e6e338743219f5
Instruction ID: 8a58e8043f90fd0bf18b8c364ce73121112f03549325087cab81f142ef28472e
Opcode Fuzzy Hash: a9e710797ce6d2cba1ec8163c0f059f5a0ac46983f0a820241e6e338743219f5
Instruction Fuzzy Hash: D4115E32509A19AFCB10AF68CC04E663FA5BF4A3A0B254764FC35E72E1E730D955DB90

Function 00521D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8b63cbc8bcffe04c340d25cbc90eb8f86509297835d7a9587e4d355302ccd8
Instruction ID: 86252864f9eac8ff1ae5ca05217baa785284306ca2e3c906dfd8857c5911373c
Opcode Fuzzy Hash: 4a8b63cbc8bcffe04c340d25cbc90eb8f86509297835d7a9587e4d355302ccd8
Instruction Fuzzy Hash: 70017CB2205A2ABEF62116787CC4F276E1CFFA23B8B301725F521611D2DA608C4191B4

Function 00551A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00551A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00551A8A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction ID: 3b0732d5d7c0a47467e987936df06a26e4473e8e7099375d9021cabd1d5dd60d
Opcode Fuzzy Hash: d2f8c23ed5de8b6d03dffcaf4ce04e3ecacc76f0206dda6751e52879bf79626e
Instruction Fuzzy Hash: BC112A3A901219FFEB119BA5C985FADBB78FB04750F200092EA01B7290D6716E50DB94

Function 0055E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0055E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0055E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0055E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0055E24D

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction ID: b255ccf78be8e2b0e0a0eb2f234bf5f83a87a05d6ab6ffcbe5dcf79a76d4b0bc
Opcode Fuzzy Hash: 36de70c33c4bcdba2362b1aae9f0dab210e75142477f1a486f99dea14863bc33
Instruction Fuzzy Hash: 1C114876904644BFC7059FA8AC0AE9E3FACEB52715F004616FC25E3281C6B08A0897B0

Function 0051D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0051CFF9,00000000,00000004,00000000), ref: 0051D218
GetLastError.KERNEL32 ref: 0051D224
__dosmaperr.LIBCMT ref: 0051D22B
ResumeThread.KERNEL32(00000000), ref: 0051D249

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction ID: b80e64937a85029c8d8d254d9410430fb4cb275db9a5dd28058ddd7cd89e584b
Opcode Fuzzy Hash: 53ee5aef784e550aa5609501e1dd38e347350dd3d5e8278303e9ff4872e36217
Instruction Fuzzy Hash: AB01C03A905205BBEB115BA5DC09AEA7E79FF81330F200219F935921D0DB718985D7B0

Function 00589EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00509BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00509BB2

GetClientRect.USER32(?,?), ref: 00589F31
GetCursorPos.USER32(?), ref: 00589F3B
ScreenToClient.USER32(?,?), ref: 00589F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00589F7A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7e4c5139cf238f5a6bb3adc23dcb61fd4d866d459445473c6dc37db48b3ade03
Instruction ID: 5c46b7b693792615371471748b51d4ea9603c300062f10b48580c8718ad0bc6e
Opcode Fuzzy Hash: 7e4c5139cf238f5a6bb3adc23dcb61fd4d866d459445473c6dc37db48b3ade03
Instruction Fuzzy Hash: E111333290011AABDB06EFA8D8899FE7BB9FB45311F140455FE12F3141D330BA85DBA1

Function 004F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
GetStockObject.GDI32(00000011), ref: 004F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction ID: ba7173b2559387c009cfa80b31ddae16b3455ecca1d9bb5d6dfee26faaecdcf4
Opcode Fuzzy Hash: 464bb053a5efd1d763db4d50a57a7e2bf0fdfdd0f5e19a476d86e57d30c3072e
Instruction Fuzzy Hash: 8F118B7250150CBFEF128FA48C44EFBBF69EF183A4F110216FA0592110DB369C60EBA4

Function 00513B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00513B56

Part of subcall function 00513AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00513AD2
Part of subcall function 00513AA3: ___AdjustPointer.LIBCMT ref: 00513AED

_UnwindNestedFrames.LIBCMT ref: 00513B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00513B7C
CallCatchBlock.LIBVCRUNTIME ref: 00513BA4

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 16ddaf37c539a2b3b3ba1aaa0df550d57ed6279eb53d3a2bea49877ac2960fff
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3101E972100149BBEF125E95CC4AEEB7F69FF98754F044014FE5856121D732E9A1DBA0

Function 00523073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004F13C6,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue), ref: 005230A5
GetLastError.KERNEL32(?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000,00000364,?,00522E46), ref: 005230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0052301A,004F13C6,00000000,00000000,00000000,?,0052328B,00000006,FlsSetValue,00592290,FlsSetValue,00000000), ref: 005230BF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction ID: 6e1676d429bc5ad7f3664466e100d5f9e0231e1d41d90491389ae9486647909c
Opcode Fuzzy Hash: 030c2579494af36d33bd4295d8237ef610dc94165ee3770afcc6f1836cf471dd
Instruction Fuzzy Hash: E101D436701636ABCB214A78BC88A577F98BF16B61B110A20F906E71D0DB35D909C7F0

Function 00557464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0055747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00557497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005574CA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction ID: f9222ff8767d01814c2378dd48042bcabcb52a6d75e251d0187c99b08f24af57
Opcode Fuzzy Hash: 8f115c8d4a575dc6ca2501372569e8dcabcfabeacd9c1a6b0609925febc672c5
Instruction Fuzzy Hash: 5E11A1B1205318DBEB208F24EC18F927FFCFB04B01F10856AAE26D6151D770E948EB61

Function 0055B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0055ACD3,?,00008000), ref: 0055B126

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction ID: 97a90ca8e51fa1c557572ce3a30dfd22298dbdc7a121f4c724b4710edcad2abb
Opcode Fuzzy Hash: 6a075968ce240a122d5fc5ed089eb69a13b8be8484516a75b304ddbcb4a43855
Instruction Fuzzy Hash: CB115730C01928EBEF00AFE5E9AC6EEBF78BB59312F104486DD41B2181CB305658DB61

Function 00587E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00587E33
ScreenToClient.USER32(?,?), ref: 00587E4B
ScreenToClient.USER32(?,?), ref: 00587E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00587E8A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 982af78fc42cb7d88daf3d6144843f36432d3d56bfb2edfc3521ca32ebe38dd3
Instruction ID: 10e66a25d5aee613f61ad623be9c0439fd6c18f912423508970328b3bb53bccd
Opcode Fuzzy Hash: 982af78fc42cb7d88daf3d6144843f36432d3d56bfb2edfc3521ca32ebe38dd3
Instruction Fuzzy Hash: 9B1146B9D00209AFDB41DF99C444AEEBBF9FF18310F505066E925E2210D735AA54DF90

Function 00552DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00552DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00552DD6
GetCurrentThreadId.KERNEL32 ref: 00552DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00552DE4

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction ID: bb2f3594ca543fd568c9aaf9c3765a90f123e17cc3851c817de0ff343daafe35
Opcode Fuzzy Hash: f415dc13f854c30beea0dc3e2bcafd8bd043f4b8a987bfcaae2368db09ba1e94
Instruction Fuzzy Hash: A1E06DB11012247AD7201B67AC0EEEB3E6CFB63BA2F001126B905E1080AAB48849D7B0

Function 00588863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00509639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00509693
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096A2
Part of subcall function 00509639: BeginPath.GDI32(?), ref: 005096B9
Part of subcall function 00509639: SelectObject.GDI32(?,00000000), ref: 005096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00588887
LineTo.GDI32(?,?,?), ref: 00588894
EndPath.GDI32(?), ref: 005888A4
StrokePath.GDI32(?), ref: 005888B2

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction ID: edcaf5c140a7c4131524c9fb8dc50f87b506c93b687aa6ef75714a195330c6b7
Opcode Fuzzy Hash: e303fbef6aaf7d770ff0233d514f540544c5277472bba31a65b04c9ec888fe96
Instruction Fuzzy Hash: DBF03436041659FAEB126F94AC0EFDE3E69AF26310F448000FE11750E2C7B55529EFA9

Function 005098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005098CC
SetTextColor.GDI32(?,?), ref: 005098D6
SetBkMode.GDI32(?,00000001), ref: 005098E9
GetStockObject.GDI32(00000005), ref: 005098F1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction ID: 0a714028f5ff17a57305e6943987a5c47ecdf35aa8186a0584eb415aa48972fe
Opcode Fuzzy Hash: 66f914b8d94c828e51b966b4ea0b78171685ea643f48e8285c68fc65e7dd49ab
Instruction Fuzzy Hash: 5CE06D31244284AEDF215B74BC0DBE83F20BB26336F04921AFAFA680E1C3714644EB20

Function 0055162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00551634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005511D9), ref: 00551648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005511D9), ref: 0055164F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction ID: 4303b090973d11d1fe1330b632ba9151e98da366a318cee3e8c55ce3adc2bfde
Opcode Fuzzy Hash: b4b15d040d1e9417a1795a03df8b244a24de44f6323f0693ad8a39c9eac0cd26
Instruction Fuzzy Hash: 29E08631601211DBD7201FB0AD0DB4A3F7CBF657D2F154809FA45E9080D6344449E774

Function 00564D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004F7620: _wcslen.LIBCMT ref: 004F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00564ED4

Strings

*, xrefs: 00564E10
LPT, xrefs: 00564DFB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 749b200c732267e0ddeda049dc5b073ae9953e639850d015da78f30282c80094
Instruction ID: 7fa0f47a489722821ba9e87727f05f5f376dd7fd994561ad769c80fd18d89b1c
Opcode Fuzzy Hash: 749b200c732267e0ddeda049dc5b073ae9953e639850d015da78f30282c80094
Instruction Fuzzy Hash: 5E915E75A00244AFCB14DF58C484EAABBF5BF44308F198099E80A9F7A2D775ED85CF91

Function 0051E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0051E30D

Strings

pow, xrefs: 0051E2E5, 0051E302

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction ID: 0e991a8d7c7c84a66d19721d9958aeb95e5567cf8b8fa678e7dadc51688aef70
Opcode Fuzzy Hash: 1e8804b509481cd56bc08912bce7dbdfc5ee5d74be8af853a1e63f07fb580f1b
Instruction Fuzzy Hash: 7B51CE61A0C11A96EB11B724DD033FA3F98FF55740F304D99E8E5432E8EB348CC59A46

Function 00577771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,?,00000000,00000000), ref: 005778DD

Part of subcall function 004F6B57: _wcslen.LIBCMT ref: 004F6B6A

CharUpperBuffW.USER32(0054569E,00000000,?,0058CC08,00000000,?,00000000,00000000), ref: 0057783B

Strings

<s[, xrefs: 005777C8

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s[
API String ID: 3544283678-714827695
Opcode ID: 29ccef8f4ecb149e0d3c62f5757b2b81d4994d9083fc851bdfc9dd9c2c5d34c1
Instruction ID: 9f0251bf921022dea4a21fdba3edd65ec56e3718dcdcc3f45859839f77a520ae
Opcode Fuzzy Hash: 29ccef8f4ecb149e0d3c62f5757b2b81d4994d9083fc851bdfc9dd9c2c5d34c1
Instruction Fuzzy Hash: 1061707291411DAACF04EBA5EC91DFDBBB4FF18304B44452AE606B3091EF785A05DBA4

Function 0050E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0050E1B1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5e0b4b57d6dc745265eefd05751377d503ce22897cabef5f8dace53f7be88894
Instruction ID: 711c4e808e03efe667dfffc0d55b3a143e6621244018284ac71e4e29787695c4
Opcode Fuzzy Hash: 5e0b4b57d6dc745265eefd05751377d503ce22897cabef5f8dace53f7be88894
Instruction Fuzzy Hash: 0E512379900286DFDB15DF28C482AFE7FA4FF65328F644459EC919B2D0D634AD42CBA0

Function 0050F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0050F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0050F2BB

Strings

@, xrefs: 0050F2AF

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction ID: 648b274a939b89aadb0c13c6aed8ad8c9f34b816608435543f2b0812c7e3ef05
Opcode Fuzzy Hash: 697e81507c29af60b4626b8abd5f1b98e8cb3a2b530420242bd6768021d40a21
Instruction Fuzzy Hash: B15147714087499BD320AF15D886BABBBF8FF95304F81484DF29941195EB348929CB6B

Function 00575745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005757E0
_wcslen.LIBCMT ref: 005757EC

Strings

CALLARGARRAY, xrefs: 005757E6, 005757EB

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: cfbd5ab710562492d3ca9fa846618c9c34d25a5ffeeffb413a5d01e63718780b
Instruction ID: a0a67ea0ecddf1c859ad374ab2a24726f93769c748d52ac58ec63a0c46f95071
Opcode Fuzzy Hash: cfbd5ab710562492d3ca9fa846618c9c34d25a5ffeeffb413a5d01e63718780b
Instruction Fuzzy Hash: 6641C031A001099FCB04DFA9D8869BEBFF4FF98354F20802EE509A7291E7709D81CB91

Function 0056D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0056D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0056D13A

Strings

|, xrefs: 0056D10B

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction ID: aa0213e7243e60e67a8c22eb6a033119162524c9e10fc05a15d73f5d162a161d
Opcode Fuzzy Hash: 13bd30607841701176259069629061d6513f2bea288bba09a9b4877d488ff646
Instruction Fuzzy Hash: 3D316F71D00209ABCF11EFA5CC85EEEBFB9FF05344F00001AF915A6261D775AA56CB64

Function 0058356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00583621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0058365C

Strings

static, xrefs: 005835BC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction ID: 322bf49bc5b3b98875fd955e5e16b14c82a8d20b556071cb1b3dd2d26583b6e4
Opcode Fuzzy Hash: 832f5d3f6a263f867b31a59cdf04fc9617df97a980e35679c8b55c4e93b8e6d6
Instruction Fuzzy Hash: AD318171110604AEDB10EF29DC80EBB7BA9FF98724F509619FD55A7180DA30AD91D760

Function 00584537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0058461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00584634

Strings

', xrefs: 0058458E

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction ID: 1c3a5562475d075b35527e6708d1f1285873062e77e34b2255341ee0519e75a9
Opcode Fuzzy Hash: 40c365d231d7ffe8f64b4ca220dbf4cfba623d3e06a6fd4280c891f50be02109
Instruction Fuzzy Hash: 22311574A0020A9FDB14DFA9C980AEA7BB5FF09300F10406AED05AB341E770A941DF90

Function 005831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0058327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00583287

Strings

Combobox, xrefs: 00583249

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction ID: 54051c6fd7e76cc348bfa9fef243c807de326939a45a63d140d15c595bcee0db
Opcode Fuzzy Hash: 9b832bb5b7d3a042e001fe2975f9af31891ff407cae39de44e73dfb7f601bf2d
Instruction Fuzzy Hash: F811E2753002087FEF21AE54DC84EBB3F6AFB98764F100128FD1AAB290D6719D518760

Function 00583710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004F604C
Part of subcall function 004F600E: GetStockObject.GDI32(00000011), ref: 004F6060
Part of subcall function 004F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004F606A

GetWindowRect.USER32(00000000,?), ref: 0058377A
GetSysColor.USER32(00000012), ref: 00583794

Strings

static, xrefs: 00583757

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction ID: 10dcd9ecfb3686e1864064276a0418964ed68f6f628f33e5fb5f61262ecb683f
Opcode Fuzzy Hash: 3acca13b4391a1d5053de9e38a4c39c7b317db67b5cbd2efee12b918e37eef68
Instruction Fuzzy Hash: 8E1129B2610209AFDF00EFA8CC45EFA7BB8FB08714F004915FD55E2251E775E9559B60

Function 0056CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0056CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0056CDA6

Strings

<local>, xrefs: 0056CD66

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction ID: 8f5a37549588f3320f0bb70bfd2992b0cb6ef34f39ea0d9cff4229fc0edeab09
Opcode Fuzzy Hash: 71e3f38ac8c81380030d9a7159c8aa37f969045005180cc342a2c1c4f849ab7c
Instruction Fuzzy Hash: 8011A071205671BAD7285A668C49EF7BEBCFB227A4F00462AB58993180D6749844D6F0

Function 00583429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005834BA

Strings

edit, xrefs: 0058348F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction ID: f59328153d4eb4174d74847268e685c14d94d997500e4c4c1635296598bfc4a3
Opcode Fuzzy Hash: 5b13165f321ca0e47aed512b2819edc3e5d64a5251fe6d9a7a9ed5674e694166
Instruction Fuzzy Hash: 61119D71100108AEEF11AE64DC48ABA3F6AFF15B78F504724FD61A71E0C771DC559760

Function 00556C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00556CB6
_wcslen.LIBCMT ref: 00556CC2

Strings

STOP, xrefs: 00556CBC, 00556CC1

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 154659541e583729033f9c3c1d3df295d184dc376f277bfb93d1196eee62450a
Instruction ID: e48f0b0ac649dbdae20fc981c5363346e228f11d037421913ccf36af14568f6e
Opcode Fuzzy Hash: 154659541e583729033f9c3c1d3df295d184dc376f277bfb93d1196eee62450a
Instruction Fuzzy Hash: 6D0108326005678ACB119FBDCCA19BF7BB4FA60715780092AEC5297190FB31DC08C650

Function 00551CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00551D4C

Strings

ComboBox, xrefs: 00551CEB
ListBox, xrefs: 00551D16

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 463886c6f1cc0ad7bc58d93059315a012e755adaf0b2e1724b095fb8c7ebc7e6
Instruction ID: f84c5e5b94cb01e71af3bc3a18ceca0b593c2ec688fac6b5af375d368b24260f
Opcode Fuzzy Hash: 463886c6f1cc0ad7bc58d93059315a012e755adaf0b2e1724b095fb8c7ebc7e6
Instruction Fuzzy Hash: D001B571611618AB8B08EFA5CC65AFE7F78FF56390B04091BEC22672C1EA355D0C8664

Function 00551BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00551C46

Strings

ComboBox, xrefs: 00551BE5
ListBox, xrefs: 00551C10

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c91c6582c1163672c8bfb5bb9975baec53fc164358632a93020618dd27a86062
Instruction ID: a2c9594f8364310281dfd9883073b44dd90a3d0c7814019f1146e167c35b14fe
Opcode Fuzzy Hash: c91c6582c1163672c8bfb5bb9975baec53fc164358632a93020618dd27a86062
Instruction Fuzzy Hash: 9F01A77569110866CB08EB91C965BFF7FA8BF51381F14041BED0677281EA259E0CC6B9

Function 00551C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00551CC8

Strings

ComboBox, xrefs: 00551C69
ListBox, xrefs: 00551C94

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 34542732ffdf0e5e710933282622ba050ba02fd787766a84e7945b932a4112e4
Instruction ID: e177e3da5119a85eb6a391187262b82e645a7bc31d6357b682d8d8ffcf818498
Opcode Fuzzy Hash: 34542732ffdf0e5e710933282622ba050ba02fd787766a84e7945b932a4112e4
Instruction Fuzzy Hash: 9401DB7164015867CB04EB95CA22BFE7FA8BF113C1F14001BBD0677281EA259F0CC675

Function 0050A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050A529

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Strings

3yT, xrefs: 0050A545, 0050A54D, 0050A552
,%\, xrefs: 0050A509

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%\$3yT
API String ID: 2551934079-2759134763
Opcode ID: d235c8c9a18791860a0c29b46845215c7c2dfa1bfa602a755881ecd1e665f45c
Instruction ID: 3c4369859dc386994e60d4337c3cc3d83e101e5f4859eaefecfdc7d99b9ad981
Opcode Fuzzy Hash: d235c8c9a18791860a0c29b46845215c7c2dfa1bfa602a755881ecd1e665f45c
Instruction Fuzzy Hash: 9B01F2326007159BCE00F7A9DC1BFAE3F54BB85710F400429F6125B1C2EEA4AD858A9B

Function 00551D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F9CB3: _wcslen.LIBCMT ref: 004F9CBD

Part of subcall function 00553CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00553CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00551DD3

Strings

ComboBox, xrefs: 00551D75
ListBox, xrefs: 00551DA0

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fea5e6b85761404ab865ea8ee160e161d13fbb676c06835cef5352a30765138
Instruction ID: 1b6e1145282c1b50301c241230738bf4c135f35b0ddb428a64b33612c4185d51
Opcode Fuzzy Hash: 0fea5e6b85761404ab865ea8ee160e161d13fbb676c06835cef5352a30765138
Instruction Fuzzy Hash: B5F0F471A5061866CB08FBA5CC62BFE7F78BF01384F04091BFD22A72C1EA745D0C8268

Function 00588172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005C3018,005C305C), ref: 005881BF
CloseHandle.KERNEL32 ref: 005881D1

Strings

\0\, xrefs: 0058818A

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0\
API String ID: 3712363035-662447594
Opcode ID: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction ID: 5dc3bd197dc357535608f8480139db37f596067fd49df05888e219a6c0846de8
Opcode Fuzzy Hash: 62cb9a56d12edaa5c69d8e7bdd6dadc38c0d685879be1670a06f8f33e6798f24
Instruction Fuzzy Hash: E8F030B2640708BEE3106761AC4DFB77E5CFB14750F008425BA08F51A1D6758E54A3B8

Function 00510D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0050F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00510D71,?,?,?,004F100A), ref: 0050F7CE

IsDebuggerPresent.KERNEL32(?,?,?,004F100A), ref: 00510D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004F100A), ref: 00510D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00510D7F

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction ID: 2461302750dc65607c6bc088f8c8eef0b998045223e2a437e6d44d8a2f196417
Opcode Fuzzy Hash: 6c6d4bc2f11edd6899f1a6e6c6a42539766a6049ca7e433c9fd6fe347594b770
Instruction Fuzzy Hash: 64E065742007418FE770AF78E4087467FE4BB14744F00492DE882D6691DBF4E4889BA1

Function 0050E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0050E3D5

Strings

0%\, xrefs: 0050E3B5
8%\, xrefs: 0050E3CA

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%\$8%\
API String ID: 1385522511-277581082
Opcode ID: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction ID: ba2416d64fe91b41494c16700d1218277272ab8296731676201542b59ca09e84
Opcode Fuzzy Hash: 790d7454e5f03e98299a7e1b55bac24f8f853a2543fd60f550021f64ca8eab08
Instruction Fuzzy Hash: 8AE02631404D20CFC6049718F85AECE3F91BB45320F203D68E1128F1D1DF7478859644

Function 00563017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0056302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00563044

Strings

aut, xrefs: 00563038

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction ID: 46b05349ca85abcd6b4745d68cfd3a039e29eb5952be1453854022fe51de76ac
Opcode Fuzzy Hash: 123d521eab734f5ca2a653b9bed6057fac80e933b0b74117f3acdbb3a4b2aff1
Instruction Fuzzy Hash: 5AD05B7550031467DA2097949C0DFD73E6CD704750F0001917A96E20D1DAB49544CBE0

Function 0052BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0052BE93
GetLastError.KERNEL32 ref: 0052BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052BEFC

Memory Dump Source

Source File: 00000000.00000002.1653441541.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1653425994.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653495848.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653536559.00000000005BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653554596.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1f589fca80a591922a68503129ceba69ff45ffa646bf98c68412a66fca3fd964
Instruction ID: 132c51def7c12d3c3a3a293ab15863b47de89e80dc3c15c44aeff7d30ac65fb9
Opcode Fuzzy Hash: 1f589fca80a591922a68503129ceba69ff45ffa646bf98c68412a66fca3fd964
Instruction Fuzzy Hash: B941E935604226AFEF218F64ED88ABA7FA9FF43320F154169F969571E1DB308D01DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1880340354&timestamp=1727808848108 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5Ou7fnsM9TT+8wN&MD=D8v1ExdO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5Ou7fnsM9TT+8wN&MD=D8v1ExdO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 004F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00532BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0055D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 0055DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 0057AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 004F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0053065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 004F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 004F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 004F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 004F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre