Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523882
MD5:	10f2301f8b97c23422086bd3c40200de
SHA1:	424210c8101158f55ec49ef1ce92771ae1e6dad2
SHA256:	e07a8d0829ad09f2134f733c794d30febde1665c4ba0c0dec5c2a14793a93f99
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 10F2301F8B97C23422086BD3C40200DE)

taskkill.exe (PID: 6392 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1412	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sets.json.4.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.4.dr	String found in binary or memory: https://24.hu
Source: sets.json.4.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.4.dr	String found in binary or memory: https://abczdrowie.pl
Source: chromecache_175.6.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_175.6.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000003.2041981637.0000000001585000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2042633246.0000000001585000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2042123381.0000000001585000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2042159001.0000000001585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/
Source: file.exe, 00000000.00000003.2041933900.000000000156F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2041981637.0000000001575000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2042615999.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: sets.json.4.dr	String found in binary or memory: https://alice.tw
Source: sets.json.4.dr	String found in binary or memory: https://ambitionbox.com
Source: chromecache_181.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_175.6.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: sets.json.4.dr	String found in binary or memory: https://autobild.de
Source: sets.json.4.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.4.dr	String found in binary or memory: https://bild.de
Source: sets.json.4.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.4.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.4.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.4.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.4.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.4.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.4.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.4.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.4.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.4.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.4.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.4.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.4.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.4.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.4.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.4.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.4.dr	String found in binary or memory: https://chennien.com
Source: sets.json.4.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.4.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.4.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.4.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.4.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.4.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.4.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.4.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.4.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.4.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.4.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.4.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.4.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.4.dr	String found in binary or memory: https://css-load.com
Source: sets.json.4.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.4.dr	String found in binary or memory: https://deere.com
Source: sets.json.4.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.4.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.4.dr	String found in binary or memory: https://drimer.io
Source: sets.json.4.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.4.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.4.dr	String found in binary or memory: https://een.be
Source: sets.json.4.dr	String found in binary or memory: https://efront.com
Source: sets.json.4.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.4.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.4.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.4.dr	String found in binary or memory: https://ella.sv
Source: sets.json.4.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.4.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.4.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.4.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.4.dr	String found in binary or memory: https://fakt.pl
Source: chromecache_175.6.dr	String found in binary or memory: https://families.google.com/intl/
Source: sets.json.4.dr	String found in binary or memory: https://finn.no
Source: sets.json.4.dr	String found in binary or memory: https://firstlook.biz
Source: chromecache_175.6.dr	String found in binary or memory: https://g.co/recover
Source: sets.json.4.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.4.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.4.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.4.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.4.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.4.dr	String found in binary or memory: https://grid.id
Source: sets.json.4.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.4.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.4.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.4.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.4.dr	String found in binary or memory: https://hapara.com
Source: sets.json.4.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.4.dr	String found in binary or memory: https://hc1.com
Source: sets.json.4.dr	String found in binary or memory: https://hc1.global
Source: sets.json.4.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.4.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.4.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.4.dr	String found in binary or memory: https://hearty.app
Source: sets.json.4.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.4.dr	String found in binary or memory: https://hearty.me
Source: sets.json.4.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.4.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.4.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.4.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.4.dr	String found in binary or memory: https://hj.rs
Source: sets.json.4.dr	String found in binary or memory: https://hjck.com
Source: sets.json.4.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.4.dr	String found in binary or memory: https://html-load.com
Source: sets.json.4.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.4.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.4.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.4.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.4.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.4.dr	String found in binary or memory: https://img-load.com
Source: sets.json.4.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.4.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.4.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.4.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.4.dr	String found in binary or memory: https://interia.pl
Source: sets.json.4.dr	String found in binary or memory: https://intoday.in
Source: sets.json.4.dr	String found in binary or memory: https://iolam.it
Source: sets.json.4.dr	String found in binary or memory: https://ishares.com
Source: sets.json.4.dr	String found in binary or memory: https://jagran.com
Source: sets.json.4.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.4.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.4.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.4.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.4.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.4.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.4.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.4.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.4.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.4.dr	String found in binary or memory: https://kompas.com
Source: sets.json.4.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.4.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.4.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.4.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.4.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.4.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.4.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.4.dr	String found in binary or memory: https://libero.it
Source: sets.json.4.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.4.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.4.dr	String found in binary or memory: https://livechat.com
Source: sets.json.4.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.4.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.4.dr	String found in binary or memory: https://livemint.com
Source: sets.json.4.dr	String found in binary or memory: https://max.auto
Source: sets.json.4.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.4.dr	String found in binary or memory: https://meo.pt
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.4.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.4.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.4.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.4.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.4.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.4.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.4.dr	String found in binary or memory: https://money.pl
Source: sets.json.4.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.4.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.4.dr	String found in binary or memory: https://nacion.com
Source: sets.json.4.dr	String found in binary or memory: https://naukri.com
Source: sets.json.4.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.4.dr	String found in binary or memory: https://nien.co
Source: sets.json.4.dr	String found in binary or memory: https://nien.com
Source: sets.json.4.dr	String found in binary or memory: https://nien.org
Source: sets.json.4.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.4.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.4.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.4.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.4.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.4.dr	String found in binary or memory: https://o2.pl
Source: sets.json.4.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.4.dr	String found in binary or memory: https://onet.pl
Source: sets.json.4.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.4.dr	String found in binary or memory: https://p106.net
Source: sets.json.4.dr	String found in binary or memory: https://p24.hu
Source: sets.json.4.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.4.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.4.dr	String found in binary or memory: https://phonandroid.com
Source: chromecache_175.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_175.6.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_175.6.dr	String found in binary or memory: https://play.google/intl/
Source: sets.json.4.dr	String found in binary or memory: https://player.pl
Source: sets.json.4.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.4.dr	String found in binary or memory: https://poalim.site
Source: sets.json.4.dr	String found in binary or memory: https://poalim.xyz
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_175.6.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: sets.json.4.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.4.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.4.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.4.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.4.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.4.dr	String found in binary or memory: https://radio1.be
Source: sets.json.4.dr	String found in binary or memory: https://radio2.be
Source: sets.json.4.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.4.dr	String found in binary or memory: https://repid.org
Source: sets.json.4.dr	String found in binary or memory: https://reshim.org
Source: sets.json.4.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.4.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.4.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.4.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.4.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.4.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.4.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.4.dr	String found in binary or memory: https://samayam.com
Source: sets.json.4.dr	String found in binary or memory: https://sapo.io
Source: sets.json.4.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.4.dr	String found in binary or memory: https://shock.co
Source: sets.json.4.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.4.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.4.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.4.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.4.dr	String found in binary or memory: https://songshare.com
Source: sets.json.4.dr	String found in binary or memory: https://songstats.com
Source: sets.json.4.dr	String found in binary or memory: https://sporza.be
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_181.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: sets.json.4.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.4.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.4.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.4.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.4.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.4.dr	String found in binary or memory: https://stripe.com
Source: sets.json.4.dr	String found in binary or memory: https://stripe.network
Source: sets.json.4.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.4.dr	String found in binary or memory: https://supereva.it
Source: chromecache_175.6.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_175.6.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_175.6.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: sets.json.4.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.4.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.4.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.4.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.4.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.4.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.4.dr	String found in binary or memory: https://text.com
Source: sets.json.4.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.4.dr	String found in binary or memory: https://the42.ie
Source: sets.json.4.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.4.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.4.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.4.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.4.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.4.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.4.dr	String found in binary or memory: https://top.pl
Source: sets.json.4.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.4.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.4.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.4.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.4.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.4.dr	String found in binary or memory: https://tvid.in
Source: sets.json.4.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.4.dr	String found in binary or memory: https://tvn24.pl
Source: chromecache_181.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: sets.json.4.dr	String found in binary or memory: https://unotv.com
Source: sets.json.4.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.4.dr	String found in binary or memory: https://vrt.be
Source: sets.json.4.dr	String found in binary or memory: https://vwo.com
Source: sets.json.4.dr	String found in binary or memory: https://welt.de
Source: sets.json.4.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.4.dr	String found in binary or memory: https://wildix.com
Source: sets.json.4.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.4.dr	String found in binary or memory: https://wingify.com
Source: sets.json.4.dr	String found in binary or memory: https://wordle.at
Source: sets.json.4.dr	String found in binary or memory: https://wp.pl
Source: sets.json.4.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.4.dr	String found in binary or memory: https://www.asadcdn.com
Source: chromecache_175.6.dr	String found in binary or memory: https://www.google.com
Source: chromecache_175.6.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_181.6.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_175.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_175.6.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: sets.json.4.dr	String found in binary or memory: https://ya.ru
Source: sets.json.4.dr	String found in binary or memory: https://yours.co.uk
Source: file.exe, 00000000.00000003.2021661828.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_175.6.dr	String found in binary or memory: https://youtube.com/t/terms?gl=
Source: sets.json.4.dr	String found in binary or memory: https://zalo.me
Source: sets.json.4.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.4.dr	String found in binary or memory: https://zingmp3.vn

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55429
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55428
Source: unknown	Network traffic detected: HTTP traffic on port 65371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55430
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55435
Source: unknown	Network traffic detected: HTTP traffic on port 65374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65370
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65374
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65375
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65372
Source: unknown	Network traffic detected: HTTP traffic on port 55428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65373
Source: unknown	Network traffic detected: HTTP traffic on port 55430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65376
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.69.42.241:443 -> 192.168.2.5:65370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:65371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:65372 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:65373 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_004CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7ac19961-0
Source: file.exe, 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0aff3d0f-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0e3c088a-9
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_63609fb6-4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004BE8F6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6048_2072608446

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045BF40	0_2_0045BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2046	0_2_004C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00458060	0_2_00458060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8298	0_2_004B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048E4FF	0_2_0048E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048676B	0_2_0048676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E4873	0_2_004E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045CAF0	0_2_0045CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047CAA0	0_2_0047CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046CC39	0_2_0046CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00486DD9	0_2_00486DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046B119	0_2_0046B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004591C0	0_2_004591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471394	0_2_00471394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471706	0_2_00471706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047781B	0_2_0047781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046997D	0_2_0046997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00457920	0_2_00457920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004719B0	0_2_004719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00477A4A	0_2_00477A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471C77	0_2_00471C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00477CA7	0_2_00477CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DBE44	0_2_004DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489EEE	0_2_00489EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471F32	0_2_00471F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00470A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0046F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00459CB3 appears 31 times

Source: Google.Widevine.CDM.dll.4.dr

Static PE information: Number of sections : 12 > 10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@41/45@13/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C37B5 GetLastError,FormatMessageW,

0_2_004C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B10BF AdjustTokenPrivileges,CloseHandle,		0_2_004B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004DA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004542A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 13%
Source: file.exe	Virustotal: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.4.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004542DE

Source: Google.Widevine.CDM.dll.4.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.4.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.4.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.4.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.4.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00470A76 push ecx; ret

0_2_00470A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0046F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95877

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 5144	Thread sleep count: 61 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5144	Thread sleep count: 48 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C2A2 FindFirstFileExW,	0_2_0048C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C68EE FindFirstFileW,FindClose,	0_2_004C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004542DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004CEAA2 BlockInput,

0_2_004CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00482622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00474CE8 mov eax, dword ptr fs:[00000030h]

0_2_00474CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004B0B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00482622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0047083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004709D5 SetUnhandledExceptionFilter,	0_2_004709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00470C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00470C21

Source: C:\Users\user\Desktop\file.exe

0_2_004B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00492BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00492BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BB226 SendInput,keybd_event,

0_2_004BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004D22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00470698 cpuid

0_2_00470698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD27A GetUserNameW,

0_2_004AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0048B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1412, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1412, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_004D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 File Deletion	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	21 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	13%	ReversingLabs
file.exe	18%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
youtube-ui.l.google.com	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
www3.l.google.com	0%	Virustotal	Browse
play.google.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
accounts.youtube.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://wieistmeineip.de	0%	URL Reputation	safe
https://wieistmeineip.de	0%	URL Reputation	safe
https://mercadoshops.com.co	0%	URL Reputation	safe
https://gliadomain.com	0%	URL Reputation	safe
https://gliadomain.com	0%	URL Reputation	safe
https://poalim.xyz	0%	URL Reputation	safe
https://mercadolivre.com	0%	URL Reputation	safe
https://mercadolivre.com	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://reshim.org	0%	URL Reputation	safe
https://nourishingpursuits.com	0%	URL Reputation	safe
https://medonet.pl	0%	URL Reputation	safe
https://medonet.pl	0%	URL Reputation	safe
https://unotv.com	0%	URL Reputation	safe
https://unotv.com	0%	URL Reputation	safe
https://mercadoshops.com.br	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://zdrowietvn.pl	0%	URL Reputation	safe
https://johndeere.com	0%	URL Reputation	safe
https://songstats.com	0%	URL Reputation	safe
https://baomoi.com	0%	URL Reputation	safe
https://baomoi.com	0%	URL Reputation	safe
https://supereva.it	0%	URL Reputation	safe
https://elfinancierocr.com	0%	URL Reputation	safe
https://bolasport.com	0%	URL Reputation	safe
https://bolasport.com	0%	URL Reputation	safe
https://rws1nvtvt.com	0%	URL Reputation	safe
https://desimartini.com	0%	URL Reputation	safe
https://hearty.app	0%	URL Reputation	safe
https://hearty.app	0%	URL Reputation	safe
https://hearty.gift	0%	URL Reputation	safe
https://mercadoshops.com	0%	URL Reputation	safe
https://heartymail.com	0%	URL Reputation	safe
https://p106.net	0%	URL Reputation	safe
https://radio2.be	0%	URL Reputation	safe
https://finn.no	0%	URL Reputation	safe
https://hc1.com	0%	URL Reputation	safe
https://kompas.tv	0%	URL Reputation	safe
https://mystudentdashboard.com	0%	URL Reputation	safe
https://songshare.com	0%	URL Reputation	safe
https://smaker.pl	0%	URL Reputation	safe
https://mercadopago.com.mx	0%	URL Reputation	safe
https://p24.hu	0%	URL Reputation	safe
https://talkdeskqaid.com	0%	URL Reputation	safe
https://mercadopago.com.pe	0%	URL Reputation	safe
https://cardsayings.net	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://mightytext.net	0%	URL Reputation	safe
https://pudelek.pl	0%	URL Reputation	safe
https://hazipatika.com	0%	URL Reputation	safe
https://hazipatika.com	0%	URL Reputation	safe
https://joyreactor.com	0%	URL Reputation	safe
https://cookreactor.com	0%	URL Reputation	safe
https://wildixin.com	0%	URL Reputation	safe
https://wildixin.com	0%	URL Reputation	safe
https://eworkbookcloud.com	0%	URL Reputation	safe
https://eworkbookcloud.com	0%	URL Reputation	safe
https://cognitiveai.ru	0%	URL Reputation	safe
https://nacion.com	0%	URL Reputation	safe
https://nacion.com	0%	URL Reputation	safe
https://chennien.com	0%	URL Reputation	safe
https://chennien.com	0%	URL Reputation	safe
https://drimer.travel	0%	URL Reputation	safe
https://drimer.travel	0%	URL Reputation	safe
https://deccoria.pl	0%	URL Reputation	safe
https://deccoria.pl	0%	URL Reputation	safe
https://mercadopago.cl	0%	URL Reputation	safe
https://talkdeskstgid.com	0%	URL Reputation	safe
https://bonvivir.com	0%	URL Reputation	safe
https://carcostadvisor.be	0%	URL Reputation	safe
https://salemovetravel.com	0%	URL Reputation	safe
https://sapo.io	0%	URL Reputation	safe
https://wpext.pl	0%	URL Reputation	safe
https://welt.de	0%	URL Reputation	safe
https://poalim.site	0%	URL Reputation	safe
https://drimer.io	0%	URL Reputation	safe
https://infoedgeindia.com	0%	URL Reputation	safe
https://blackrockadvisorelite.it	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://cognitive-ai.ru	0%	URL Reputation	safe
https://cafemedia.com	0%	URL Reputation	safe
https://graziadaily.co.uk	0%	URL Reputation	safe
https://thirdspace.org.au	0%	URL Reputation	safe
https://mercadoshops.com.ar	0%	URL Reputation	safe
https://smpn106jkt.sch.id	0%	URL Reputation	safe
https://elpais.uy	0%	URL Reputation	safe
https://landyrev.com	0%	URL Reputation	safe
https://the42.ie	0%	URL Reputation	safe
https://commentcamarche.com	0%	URL Reputation	safe
https://tucarro.com.ve	0%	URL Reputation	safe
https://rws3nvtvt.com	0%	URL Reputation	safe
https://eleconomista.net	0%	URL Reputation	safe
https://mercadolivre.com.br	0%	URL Reputation	safe
https://clmbtech.com	0%	URL Reputation	safe
https://standardsandpraiserepurpose.com	0%	URL Reputation	safe
https://salemovefinancial.com	0%	URL Reputation	safe
https://mercadopago.com.br	0%	URL Reputation	safe
https://commentcamarche.net	0%	URL Reputation	safe
https://etfacademy.it	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
youtube-ui.l.google.com	142.250.186.46	true	false	0%, Virustotal, Browse	unknown
www3.l.google.com	142.250.185.110	true	false	0%, Virustotal, Browse	unknown
play.google.com	216.58.206.46	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.185.132	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.185.174	true	false	0%, Virustotal, Browse	unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false		unknown
accounts.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://mercadoshops.com.co	sets.json.4.dr	false	URL Reputation: safe	unknown
https://gliadomain.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://poalim.xyz	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadolivre.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_175.6.dr	false	0%, Virustotal, Browse	unknown
https://policies.google.com/terms/service-specific	chromecache_175.6.dr	false	URL Reputation: safe	unknown
https://reshim.org	sets.json.4.dr	false	URL Reputation: safe	unknown
https://nourishingpursuits.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://medonet.pl	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://unotv.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://mercadoshops.com.br	sets.json.4.dr	false	URL Reputation: safe	unknown
https://joyreactor.cc	sets.json.4.dr	false	1%, Virustotal, Browse	unknown
https://policies.google.com/technologies/cookies	chromecache_175.6.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://zdrowietvn.pl	sets.json.4.dr	false	URL Reputation: safe	unknown
https://johndeere.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://songstats.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://baomoi.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://supereva.it	sets.json.4.dr	false	URL Reputation: safe	unknown
https://elfinancierocr.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://bolasport.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://rws1nvtvt.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_175.6.dr	false	0%, Virustotal, Browse	unknown
https://desimartini.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://hearty.app	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://hearty.gift	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://heartymail.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://nlc.hu	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://p106.net	sets.json.4.dr	false	URL Reputation: safe	unknown
https://radio2.be	sets.json.4.dr	false	URL Reputation: safe	unknown
https://finn.no	sets.json.4.dr	false	URL Reputation: safe	unknown
https://hc1.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://kompas.tv	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mystudentdashboard.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://songshare.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://smaker.pl	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.mx	sets.json.4.dr	false	URL Reputation: safe	unknown
https://p24.hu	sets.json.4.dr	false	URL Reputation: safe	unknown
https://talkdeskqaid.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://24.hu	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://mercadopago.com.pe	sets.json.4.dr	false	URL Reputation: safe	unknown
https://cardsayings.net	sets.json.4.dr	false	URL Reputation: safe	unknown
https://text.com	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://apis.google.com/js/api.js	chromecache_181.6.dr	false	URL Reputation: safe	unknown
https://mightytext.net	sets.json.4.dr	false	URL Reputation: safe	unknown
https://pudelek.pl	sets.json.4.dr	false	URL Reputation: safe	unknown
https://hazipatika.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://joyreactor.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://cookreactor.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://wildixin.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://eworkbookcloud.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://cognitiveai.ru	sets.json.4.dr	false	URL Reputation: safe	unknown
https://nacion.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://chennien.com	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://drimer.travel	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://deccoria.pl	sets.json.4.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://mercadopago.cl	sets.json.4.dr	false	URL Reputation: safe	unknown
https://talkdeskstgid.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://naukri.com	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://interia.pl	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://bonvivir.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://carcostadvisor.be	sets.json.4.dr	false	URL Reputation: safe	unknown
https://salemovetravel.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://sapo.io	sets.json.4.dr	false	URL Reputation: safe	unknown
https://wpext.pl	sets.json.4.dr	false	URL Reputation: safe	unknown
https://welt.de	sets.json.4.dr	false	URL Reputation: safe	unknown
https://poalim.site	sets.json.4.dr	false	URL Reputation: safe	unknown
https://drimer.io	sets.json.4.dr	false	URL Reputation: safe	unknown
https://infoedgeindia.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://blackrockadvisorelite.it	sets.json.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_175.6.dr	false	URL Reputation: safe	unknown
https://cognitive-ai.ru	sets.json.4.dr	false	URL Reputation: safe	unknown
https://cafemedia.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://graziadaily.co.uk	sets.json.4.dr	false	URL Reputation: safe	unknown
https://thirdspace.org.au	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.ar	sets.json.4.dr	false	URL Reputation: safe	unknown
https://smpn106jkt.sch.id	sets.json.4.dr	false	URL Reputation: safe	unknown
https://elpais.uy	sets.json.4.dr	false	URL Reputation: safe	unknown
https://landyrev.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://the42.ie	sets.json.4.dr	false	URL Reputation: safe	unknown
https://commentcamarche.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://tucarro.com.ve	sets.json.4.dr	false	URL Reputation: safe	unknown
https://rws3nvtvt.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://eleconomista.net	sets.json.4.dr	false	URL Reputation: safe	unknown
https://helpdesk.com	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://mercadolivre.com.br	sets.json.4.dr	false	URL Reputation: safe	unknown
https://clmbtech.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://standardsandpraiserepurpose.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://07c225f3.online	sets.json.4.dr	false	0%, Virustotal, Browse	unknown
https://salemovefinancial.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.br	sets.json.4.dr	false	URL Reputation: safe	unknown
https://commentcamarche.net	sets.json.4.dr	false	URL Reputation: safe	unknown
https://etfacademy.it	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mighty-app.appspot.com	sets.json.4.dr	false	URL Reputation: safe	unknown
https://hj.rs	sets.json.4.dr	false	URL Reputation: safe	unknown
https://hearty.me	sets.json.4.dr	false	URL Reputation: safe	unknown
https://mercadolibre.com.gt	sets.json.4.dr	false	URL Reputation: safe	unknown
https://timesinternet.in	sets.json.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.110	www3.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube.com	United States	15169	GOOGLEUS	false
142.250.186.164	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523882
Start date and time:	2024-10-02 06:53:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@41/45@13/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 38 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.110.84, 172.217.18.14, 34.104.35.123, 142.250.185.138, 216.58.206.42, 142.250.185.202, 216.58.212.170, 142.250.185.106, 142.250.186.106, 142.250.186.170, 172.217.16.138, 142.250.181.234, 142.250.185.170, 172.217.18.10, 142.250.184.202, 142.250.185.234, 142.250.186.42, 142.250.184.234, 142.250.74.202, 172.217.18.99, 216.58.206.67, 172.217.23.106, 216.58.206.74, 172.217.18.106, 142.250.186.138, 142.250.186.74, 172.217.16.202, 142.250.185.74, 93.184.221.240, 192.229.221.95, 142.250.185.67, 142.250.186.46
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	404.exe	Get hash	malicious	Unknown	Browse
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse
	404.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://loglnmicrosoftonl365.Globalfoundries.vitoriorefrigeracao.com.br/excel/active/test@globalfoundries.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://lamourskinclinic.com.au	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
youtube-ui.l.google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.206
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.181.238
	file.exe	Get hash	malicious	Credential Flusher	Browse	216.58.206.78
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.110
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.78
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.184.206
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.78
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.184.206
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.174
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	142.250.186.142

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	404.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	404.exe	Get hash	malicious	Unknown	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	http://loglnmicrosoftonl365.Globalfoundries.vitoriorefrigeracao.com.br/excel/active/test@globalfoundries.com	Get hash	malicious	Unknown	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	file.exe	Get hash	malicious	Credential Flusher	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 13.85.23.86 184.28.90.27 40.69.42.241

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://hdelm7ye84n38d9lvch0ev4c0.js.wpuserpowered.com/	Get hash	malicious	Unknown	Browse
	https://newmexicogov-my.sharepoint.com/:f:/g/personal/christine_fuller_newmexicogov_onmicrosoft_com/EoaWDUrKgw5NpxyRqgYpeMMB9xM6HiHeCt0mCjuvQCuY2A?e=Aa5N0v	Get hash	malicious	Unknown	Browse
	https://main.d3engbxc9elyir.amplifyapp.com/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://bgbonline.cecchinatoonline.top/	Get hash	malicious	HtmlDropper	Browse
	https://mintlink5.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	http://moollhanot.freewebhostmost.com/	Get hash	malicious	Unknown	Browse
	https://qrco.de/bfQgn5	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 03:53:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9793386068400167
Encrypted:	false
SSDEEP:	48:8Hda1T69CcHfidAKZdA19ehwiZUklqehTy+3:8snsgy
MD5:	F9E5CD56FC2E0543A560AC5F671DBD64
SHA1:	1349440ADB1913C970981D41399FCA07D385E3D0
SHA-256:	D09007F08E1CA41EDF2083E9C3CA9D829BA57E2C7B409AC98A7DFBA66A74FD08
SHA-512:	994232B4D2B872476FFC4DF6E469356A621FF458BF69036E23CB191C17D0F8914DBF87A05894EA889B3147B6BBDCF39151552985026CBB11CBF70E9096A1C6A1
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....)......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.&...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 03:53:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9961589153899486
Encrypted:	false
SSDEEP:	48:8Uda1T69CcHfidAKZdA1weh/iZUkAQkqehQy+2:8Bne9Q5y
MD5:	3950485E28821570391770DE2283CF6A
SHA1:	40ECEFF3ED05F2D52FD44747F63497F23A0E68EA
SHA-256:	BE5785EE60A8B2DD93B71F0115FAAC2E8912FB3C7430E7681A1B347EBC98142E
SHA-512:	A57D343071A6AC343B3DCFB8BAA6881EAC27447293C0C2C17A03067D58D41182B43BEEC33F6FCB9AEB1BA2F4CC2F37F3C5AC6CDE456B6731C3883D7630C3231E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Z=......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.&...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.005474627125222
Encrypted:	false
SSDEEP:	48:8xrda1T69CsHfidAKZdA14tseh7sFiZUkmgqeh7suy+BX:8xgn2nsy
MD5:	55FA2856C67BC0E77832045C98668F31
SHA1:	3027B24DD2F69189B48AA280BFE0C38C977F7290
SHA-256:	A9EC3A3127CE855EC021EC01AB3FF225BDBC42C156BC98DA1DD24E17A1D19663
SHA-512:	CBB9546D46D8AA2309C2ED4C3AAEC9AF8DDF706F29E34EDACAD6BDEECE9778F439E715848CC0BA9FC84DE6B62B4880253D018FB417732A2666A7C4D95273D7BD
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 03:53:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9944932544348113
Encrypted:	false
SSDEEP:	48:8Wda1T69CcHfidAKZdA1vehDiZUkwqehUy+R:8rnF2y
MD5:	5269E58490EBF6DFE545AAFFCAE9CDF8
SHA1:	3B5827D02D97B9DEB717D0A7049B1B4537198683
SHA-256:	D5FC79E2B033B4F1646593C9A1128413E059DFA015B735F36787F91B1A740565
SHA-512:	688113101E9991F2471781520EADDB87DF60F4BB50497D77030AE1D0456573BAF6A2660BA4A494A741B369E556B1DB80867DB96472565F24D6498CB3E8ECF2B6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.&...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 03:53:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9827000366305905
Encrypted:	false
SSDEEP:	48:8Yda1T69CcHfidAKZdA1hehBiZUk1W1qehqy+C:81nV9Ky
MD5:	753BBB99E37C7C058A96F10012D3586F
SHA1:	387C25B1FCD35CA1441386C2FB460379804D31B2
SHA-256:	D6B02C58A2E2F0C78653DE1C3AF9CCE8E9608E981AFD093CEAE712C5324B7981
SHA-512:	3D6CED8A42CE048E8EC9FB981E4E2CAB714F216D448F3335567B2825DE60158A69BCC3ECF0ADCFEEBC2171B2FAB1B8B9B2360405136DAAB462E4348B22317CF1
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....H.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.&...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 03:53:58 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9936136575732575
Encrypted:	false
SSDEEP:	48:8hda1T69CcHfidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbsy+yT+:82npT/TbxWOvTbsy7T
MD5:	821A0B1DFB4BEE61978150EDE0B623DD
SHA1:	C5C6565E428E7A30F1FBC9A13CABC0C1508B2C61
SHA-256:	9F60BB7F83B1C9AC34F5F0C07B52E7A6B9F30CDA5384DC45FB8FDECA242A6199
SHA-512:	BA942430958415DCEE7C6E34FA6990CD2D30EB0E424474D7B460DAE4E534F730E6EEC51260FF78794A56CFFC364F6F935D027DBBBEB2636DDD99576BACE54952
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.&....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.&....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.&....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.&..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.&...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........Yi.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.021127689065198
Encrypted:	false
SSDEEP:	48:p/hUI1atAdI567akUmYWEFw/3+ovGJ4F3jkZUbvzk98g5m7:RnYQI47avYUwvVGJ41jkZIzxgA7
MD5:	68E6B5733E04AB7BF19699A84D8ABBC2
SHA1:	1C11F06CA1AD3ED8116D356AB9164FD1D52B5CF0
SHA-256:	F095F969D6711F53F97747371C83D5D634EAEF21C54CB1A6A1CC5B816D633709
SHA-512:	9DC5D824A55C969820D5D1FBB0CA7773361F044AE0C255E7C48D994E16CE169FCEAC3DE180A3A544EBEF32337EA535683115584D592370E5FE7D85C68B86C891
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIyNXB3SWdtQWU2QTVoeDVVTG9OV0laODBLbzJjbktOTHpacUdjbjlLT2c4In0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiOWVza0FuRlBsM3VCQzkwUmFWakxNaVI3NXZIQi0wQUVmMmg0RzU3ZXNpcyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC44LjEwLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"dU2MmRUQSugaJAJvEN4uaQHx-KXdOkjj0yK8_aH4Afr3kN7DPOZRt6yLTS3UchBE5M-dgPPPBuKADj4KEK4B22SO6WQquL5J27AUPqQBGgr44-iFGVJdOLLlfirFlJmcYv6DUFRYiPsQFGMr1JFqInj19jgkOxzR6qqcNuTCB0wGEMeTU80r-igCjeQG6TIzPro7yKd_-UxsxO6OGAySmlIJIoU54X0p0ATNoZyAfkhb8kb0oN8unOU

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9159446964030753
Encrypted:	false
SSDEEP:	3:Sq5TQRaELVHecsUDBAeHD5k:Sq5gJ+csHej5k
MD5:	CFB54589424206D0AE6437B5673F498D
SHA1:	D1EF6314F0F68EFDD0BA8F6CA9E59BFF863B1609
SHA-256:	285AC183C35350B4B77332172413902F83726CA8F53D63859B5DA082FD425A1C
SHA-512:	70FDCA4A1E6B7A5FFED3414E2DB74FECA7E0FD17482B8CB30393DFEE20AB9AD2B0B00FF0C590DD0E8D744D0EAD876CE8844519AF66618ED14666BCA56DF2DA21
Malicious:	false
Preview:	1.dbf288588465463a914bdfc5e86d465fb3592b2f1261dc0e40fcc5c1adc8e7e4

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.4533115571544695
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1tean:F6VlM8aRWpqS1ln
MD5:	C3419069A1C30140B77045ABA38F12CF
SHA1:	11920F0C1E55CADC7D2893D1EEBB268B3459762A
SHA-256:	DB9A702209807BA039871E542E8356219F342A8D9C9CA34BCD9A86727F4A3A0F
SHA-512:	C5E95A4E9F5919CB14F4127539C4353A55C5F68062BF6F95E1843B6690CEBED3C93170BADB2412B7FB9F109A620385B0AE74783227D6813F26FF8C29074758A1
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.8.10.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9748
Entropy (8bit):	4.629326694042306
Encrypted:	false
SSDEEP:	96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJq:v5C4ql7BkIVmtRTGXvcxBsq
MD5:	EEA4913A6625BEB838B3E4E79999B627
SHA1:	1B4966850F1B117041407413B70BFA925FD83703
SHA-256:	20EF4DE871ECE3C5F14867C4AE8465999C7A2CC1633525E752320E61F78A373C
SHA-512:	31B1429A5FACD6787F6BB45216A4AB1C724C79438C18EBFA8C19CED83149C17783FD492A03197110A75AAF38486A9F58828CA30B58D41E0FE89DFE8BDFC8A004
Malicious:	false
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2877728
Entropy (8bit):	6.868480682648069
Encrypted:	false
SSDEEP:	49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
MD5:	477C17B6448695110B4D227664AA3C48
SHA1:	949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
SHA-256:	CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
SHA-512:	1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ELECTRONIC RECEIPT_Opcsa.html, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V......V......`,......`+..p....+. )...p,......D.8....................C.(.....(.8...........p\..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l......&.................@....pdata...p...`+..r.................@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1778
Entropy (8bit):	6.02086725086136
Encrypted:	false
SSDEEP:	48:p/hCdQAdJjRkakCi0LXjX9mqjW6JmfQkNWQzXXf2gTs:RtQ1aaxXrjW6JuQEWQKas
MD5:	3E839BA4DA1FFCE29A543C5756A19BDF
SHA1:	D8D84AC06C3BA27CCEF221C6F188042B741D2B91
SHA-256:	43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
SHA-512:	19B085A9CFEC4D6F1B87CC6BBEEB6578F9CBA014704D05C9114CFB0A33B2E7729AC67499048CB33823C884517CBBDC24AA0748A9BB65E9C67714E6116365F1AB
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJHb29nbGUuV2lkZXZpbmUuQ0RNLmRsbCIsInJvb3RfaGFzaCI6Im9ZZjVLQ2Z1ai1MYmdLYkQyWFdBS1E5Nkp1bTR1Q2dCZTRVeEpGSExSNWMifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYk01YTJOU1d2RkY1LW9Tdml2eFdqdXVwZ05pblVGakdPQXRrLTBJcGpDZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5laWZhb2luZGdnZmNqaWNmZmtncG1ubHBwZWZmYWJkIiwiaXRlbV92ZXJzaW9uIjoiMS4wLjI3MzguMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KTPeHzS0ybFaz3_br3ASYWHjb6Ctul92067u2JMwtNYYm-4KxLiSkJZNBIzhm6hNSEW2p5kUEvHD0TjhhFGCZnWm9titj2bqJayCOAGxZb5BO74JJCRfy5Kwr1KSS4nvocsZepnHBmCiG2OV3by-Lyf1h1uU3X3bDfD92O0vJzrA8rwL2LrwIk-BolLo5nlM0I_MZwg8DhZ8SFBu9GGRVB2XrailDrv4SgupFE9gqA1HY6kjRjoyoAHbRRxZdBNNt9IKNdxNyaF9NcNRY8dAedNQ9Tw3YNp5jB7R9lcjO4knn58RdH2h_GiJ4l96StcXA4e7cqbJ77P-c

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.974403644129192
Encrypted:	false
SSDEEP:	3:SLVV8T+WSq2ykFDJp9qBn:SLVqZS5p0B
MD5:	D30A5BBC00F7334EEDE0795D147B2E80
SHA1:	78F3A6995856854CAD0C524884F74E182F9C3C57
SHA-256:	A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
SHA-512:	DACF60E959C10A3499D55DC594454858343BF6A309F22D73BDEE86B676D8D0CED10E86AC95ECD78E745E8805237121A25830301680BD12BFC7122A82A885FF4B
Malicious:	false
Preview:	1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.595307058143632
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFooG+HhFFKS18CWjhXLXGPQ3TRpvF/FHddTcplFHddTcVYA:F6VlM5PpKS18hRIA
MD5:	BBC03E9C7C5944E62EFC9C660B7BD2B6
SHA1:	83F161E3F49B64553709994B048D9F597CDE3DC6
SHA-256:	6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
SHA-512:	FB80F091468A299B5209ACC30EDAF2001D081C22C3B30AAD422CBE6FEA7E5FE36A67A8E000D5DD03A30C60C30391C85FA31F3931E804C351AB0A71E9A978CC0F
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "windows-mf-cdm",. "version": "1.0.2738.0",. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].}

Chrome Cache Entry: 172

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 173

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 174

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 175

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698314
Entropy (8bit):	5.595120835898624
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
MD5:	F82438F9EAD5F57493C673008EED9E09
SHA1:	E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
SHA-256:	B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
SHA-512:	89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 176

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 177

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 178

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 179

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 180

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 181

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791086230020914
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
MD5:	1A3606C746E7B1C949D9078E8E8C1244
SHA1:	56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
SHA-256:	5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
SHA-512:	F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 182

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 183

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 184

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 185

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 186

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582361020655316
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	10f2301f8b97c23422086bd3c40200de
SHA1:	424210c8101158f55ec49ef1ce92771ae1e6dad2
SHA256:	e07a8d0829ad09f2134f733c794d30febde1665c4ba0c0dec5c2a14793a93f99
SHA512:	d02343cfef4872eb88d56192a5d78904571b925a07d6322635e518be3084cb2518d02954920013151ee5ee24fd7022786b49ba6757bdf61c8c8fce71130652ea
SSDEEP:	12288:QqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaETq:QqDEvCTbMWu7rQYlBQcBiT6rprG8akq
TLSH:	61159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FCCF94 [Wed Oct 2 04:44:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC62C562E93h
jmp 00007FC62C56279Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC62C56297Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC62C56294Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC62C56553Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC62C565588h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC62C565571h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x991c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x991c	0x9a00	c32b4faa92a5438efbe27df8a233a89a	False	0.3027090097402597	data	5.280563675672108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xbe4	data			1.0036136662286466
RT_GROUP_ICON	0xdd39c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd414	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd428	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd43c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd450	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd52c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:53:50.919092894 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:53:50.919095993 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:53:51.044015884 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:53:57.326277018 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.326313019 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.326368093 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.327519894 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.327529907 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.959872007 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.960160017 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.960172892 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.960501909 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.960628033 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.961205006 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.961283922 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.962826967 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.962872982 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:57.963110924 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:57.963118076 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:58.014275074 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:58.244815111 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:58.244887114 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:53:58.244961023 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:58.245801926 CEST	49705	443	192.168.2.5	142.250.185.174
Oct 2, 2024 06:53:58.245816946 CEST	443	49705	142.250.185.174	192.168.2.5
Oct 2, 2024 06:54:00.529973030 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:54:00.529988050 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:54:00.655006886 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:54:01.697753906 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:01.697815895 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:01.697902918 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:01.698196888 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:01.698211908 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:01.910615921 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:01.910650969 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:01.910756111 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:01.912656069 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:01.912669897 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.319616079 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 06:54:02.319742918 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 06:54:02.352374077 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:02.352607012 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:02.352621078 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:02.353872061 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:02.353965044 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:02.360219002 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:02.360316038 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:02.413482904 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:02.413491011 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:02.467575073 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:02.673683882 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.673762083 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.678006887 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.678018093 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.678247929 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.717881918 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.774558067 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.819401979 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.972640991 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.972702980 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.972754002 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.972891092 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.972904921 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:02.972915888 CEST	49717	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:02.972919941 CEST	443	49717	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:03.072113991 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:03.072148085 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:03.072208881 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:03.072964907 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:03.072974920 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:03.958729029 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:03.959144115 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.159976006 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.160008907 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.160336971 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.164585114 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.211402893 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.419143915 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.419199944 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.419358969 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.439305067 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.439306021 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 2, 2024 06:54:04.439325094 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:04.439333916 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 2, 2024 06:54:07.411551952 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:07.411591053 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:07.411674023 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:07.411958933 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:07.411969900 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.219754934 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.220191956 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.220230103 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.220834017 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.220895052 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.221904993 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.221960068 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.225402117 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.225402117 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.225418091 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.225490093 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.266535044 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.266547918 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.311815023 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.599343061 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.599736929 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.599834919 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.599857092 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.603176117 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.603986979 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.604049921 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.605168104 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.605226040 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.611644030 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.611728907 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.614209890 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.614276886 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.618982077 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.619057894 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.623955011 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.624026060 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.624130011 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.624183893 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.646229029 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.646267891 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:08.646346092 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.646528959 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.646543026 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:08.685823917 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.685903072 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.689980030 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.690062046 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.690614939 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.690686941 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.694746017 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.694817066 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.695271969 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.695321083 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.698611021 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.698651075 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:08.698733091 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.700480938 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:08.700495005 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:08.701050997 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.701112986 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.707295895 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.707365990 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.707480907 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.713737011 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.713804960 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.713815928 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.720124960 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.720195055 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.720204115 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.720704079 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:08.720762968 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.728199005 CEST	49732	443	192.168.2.5	142.250.185.110
Oct 2, 2024 06:54:08.728225946 CEST	443	49732	142.250.185.110	192.168.2.5
Oct 2, 2024 06:54:09.284719944 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.284950018 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.284971952 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.285321951 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.285398960 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.285991907 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.286045074 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.286861897 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.286920071 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.287163973 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.287170887 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.330022097 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.347157955 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.347395897 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.347425938 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.348736048 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.348808050 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.351226091 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.351283073 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.351403952 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.351560116 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.351564884 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.351581097 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.391406059 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.391417027 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.437911987 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.562136889 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.562536955 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.562603951 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.562763929 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.562777042 CEST	443	49735	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.562789917 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.562827110 CEST	49735	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.564315081 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.564358950 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.564421892 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.564992905 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.565004110 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.628412008 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.628617048 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.628678083 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.628905058 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.628921986 CEST	443	49736	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.628932953 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.628968954 CEST	49736	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.629718065 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.629774094 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:09.629842997 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.630064964 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:09.630089998 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.271537066 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.271891117 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.271922112 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.272474051 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.272552967 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.273526907 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.273592949 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.273762941 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.273845911 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.273946047 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.273957014 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.273976088 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.319402933 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.326945066 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.333260059 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.333587885 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.333620071 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.334171057 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.334255934 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.334960938 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.335032940 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.335227013 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.335309029 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.335376024 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.335431099 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.335444927 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.389399052 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.519984961 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.520092964 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.520149946 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.520940065 CEST	49740	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.520961046 CEST	443	49740	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.540640116 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.540749073 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:10.540817022 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.545267105 CEST	49742	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:10.545290947 CEST	443	49742	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:11.014107943 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.014159918 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:11.014239073 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.016093016 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.016105890 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:11.700861931 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.743413925 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.821031094 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:11.821106911 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.822921038 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.822932005 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:11.823162079 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:11.873631001 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:11.967389107 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.967442036 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.967497110 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.967516899 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.967921972 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.967958927 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.967973948 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.967978954 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.968015909 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.968662977 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.968719959 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:11.968766928 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.977360964 CEST	49715	443	192.168.2.5	142.250.185.132
Oct 2, 2024 06:54:11.977376938 CEST	443	49715	142.250.185.132	192.168.2.5
Oct 2, 2024 06:54:12.675694942 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:12.719412088 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914310932 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914345026 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914356947 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914366007 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914410114 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914416075 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:12.914438963 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.914475918 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:12.914520025 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:12.916546106 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.916608095 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:12.916614056 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.916629076 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:12.916683912 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:13.642561913 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:13.642594099 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:13.642643929 CEST	49747	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:13.642652035 CEST	443	49747	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:16.377125025 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:16.377152920 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:16.377257109 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:16.377716064 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:16.377727985 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.112623930 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.113044024 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.113059998 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.113420010 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.113770008 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.113833904 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.114087105 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.114109039 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.114118099 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.416769981 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.416924000 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:17.417267084 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.419836998 CEST	49755	443	192.168.2.5	216.58.206.46
Oct 2, 2024 06:54:17.419851065 CEST	443	49755	216.58.206.46	192.168.2.5
Oct 2, 2024 06:54:27.101995945 CEST	65369	53	192.168.2.5	162.159.36.2
Oct 2, 2024 06:54:27.106816053 CEST	53	65369	162.159.36.2	192.168.2.5
Oct 2, 2024 06:54:27.106895924 CEST	65369	53	192.168.2.5	162.159.36.2
Oct 2, 2024 06:54:27.111684084 CEST	53	65369	162.159.36.2	192.168.2.5
Oct 2, 2024 06:54:27.599435091 CEST	65369	53	192.168.2.5	162.159.36.2
Oct 2, 2024 06:54:27.604614973 CEST	53	65369	162.159.36.2	192.168.2.5
Oct 2, 2024 06:54:27.604667902 CEST	65369	53	192.168.2.5	162.159.36.2
Oct 2, 2024 06:54:27.630003929 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:27.630100012 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:27.630203962 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:27.630542994 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:27.630572081 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.405844927 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.406002045 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.410072088 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.410104990 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.410423994 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.418736935 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.459402084 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.625386953 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.625575066 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.625662088 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.633589029 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.633636951 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.633666992 CEST	65370	443	192.168.2.5	40.69.42.241
Oct 2, 2024 06:54:28.633682013 CEST	443	65370	40.69.42.241	192.168.2.5
Oct 2, 2024 06:54:28.665050030 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:28.665117025 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:28.665225983 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:28.665589094 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:28.665601015 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.331329107 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.331459999 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:29.332771063 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:29.332782030 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.332997084 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.333975077 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:29.379393101 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.503437042 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.503709078 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:29.503731966 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.503752947 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:29.503880024 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.503910065 CEST	443	65371	13.85.23.86	192.168.2.5
Oct 2, 2024 06:54:29.503958941 CEST	65371	443	192.168.2.5	13.85.23.86
Oct 2, 2024 06:54:30.653848886 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:30.653906107 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:30.653996944 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:30.661746025 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:30.661756039 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.445947886 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.446252108 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.447592020 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.447604895 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.447890997 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.448967934 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.491406918 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.776864052 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.776886940 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.776901960 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.776987076 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.777000904 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.777046919 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.777590036 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.777679920 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.777686119 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.777705908 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.777760983 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.781006098 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.781021118 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.781032085 CEST	65372	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.781037092 CEST	443	65372	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.920018911 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.920061111 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:31.920161009 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.920593977 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:31.920609951 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:32.760072947 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:32.760205030 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:32.762067080 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:32.762078047 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:32.762337923 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:32.763371944 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:32.803396940 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.106115103 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.106143951 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.106158018 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.106296062 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.106327057 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.106375933 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.107563019 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.107606888 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.107635021 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.107640982 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.107661009 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.107705116 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.107745886 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.109981060 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.109993935 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:33.110008955 CEST	65373	443	192.168.2.5	4.175.87.197
Oct 2, 2024 06:54:33.110013962 CEST	443	65373	4.175.87.197	192.168.2.5
Oct 2, 2024 06:54:38.810159922 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.810254097 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:38.810359001 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.810583115 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.810611963 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:38.830765009 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.830806017 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:38.830879927 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.831197023 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:38.831212044 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.446978092 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.447325945 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.447346926 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.447917938 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.448260069 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.448345900 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.448484898 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.448499918 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.448518038 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.464776993 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.465060949 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.465090990 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.465605021 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.465893984 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.465969086 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.466012001 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.466027975 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.466057062 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.645103931 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.645349026 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.645414114 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.645665884 CEST	65374	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.645700932 CEST	443	65374	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.740129948 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.740259886 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:39.740317106 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.740720987 CEST	65375	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:39.740734100 CEST	443	65375	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:40.427704096 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:40.427747965 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:40.427845955 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:40.428308010 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:40.428325891 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.066068888 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.066467047 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.066488981 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.067014933 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.068070889 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.068160057 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.068259954 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.068280935 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.068311930 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.266841888 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.267004967 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:41.267066002 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.267350912 CEST	65376	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:54:41.267364025 CEST	443	65376	142.250.186.174	192.168.2.5
Oct 2, 2024 06:54:54.147567987 CEST	55424	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:54.152436972 CEST	53	55424	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:54.152559996 CEST	55424	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:54.152637959 CEST	55424	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:54.157489061 CEST	53	55424	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:54.597500086 CEST	53	55424	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:54.608334064 CEST	55424	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:54.613744974 CEST	53	55424	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:54.613794088 CEST	55424	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:55:01.690140009 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:01.690254927 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:01.690407038 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:01.690690041 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:01.690717936 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:02.420006990 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:02.420573950 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:02.420610905 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:02.421695948 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:02.422024965 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:02.422200918 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:02.465563059 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:08.915596008 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:08.915627956 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:08.915700912 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:08.916110039 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:08.916126966 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.176009893 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.176026106 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.176146984 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.176449060 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.176464081 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.544811964 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.545217991 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.545241117 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.545600891 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.546514034 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.546591997 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.546899080 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.546921015 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.546931982 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.846297979 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.846448898 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.846499920 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.846910000 CEST	55429	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.846925974 CEST	443	55429	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.874336958 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.874608994 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.874617100 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.874943972 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.875216007 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.875267029 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:09.875374079 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.875400066 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:09.875415087 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:10.173996925 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:10.174099922 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:10.174154997 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:10.174659967 CEST	55430	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:10.174666882 CEST	443	55430	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:12.300054073 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:12.300239086 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:12.300348997 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:39.160516977 CEST	55428	443	192.168.2.5	142.250.186.164
Oct 2, 2024 06:55:39.160536051 CEST	443	55428	142.250.186.164	192.168.2.5
Oct 2, 2024 06:55:39.163079023 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:39.163103104 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:39.163220882 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:39.163521051 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:39.163531065 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.289721012 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.290062904 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.290102959 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.291908026 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.292383909 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.292454958 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.292475939 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.292498112 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.292687893 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.342741013 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.619263887 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.619469881 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:40.619544983 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.620177031 CEST	55434	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:40.620196104 CEST	443	55434	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:41.877499104 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:41.877516985 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:41.877620935 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:41.878038883 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:41.878052950 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.611421108 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.611831903 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.611854076 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.613922119 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.614259005 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.614391088 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.614413977 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.614428043 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.614644051 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.656799078 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.890980005 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.891405106 CEST	443	55435	142.250.186.174	192.168.2.5
Oct 2, 2024 06:55:42.891513109 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.891907930 CEST	55435	443	192.168.2.5	142.250.186.174
Oct 2, 2024 06:55:42.891916037 CEST	443	55435	142.250.186.174	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:53:57.318526030 CEST	58862	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:53:57.318795919 CEST	64971	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:53:57.322745085 CEST	53	62424	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:57.325134039 CEST	53	58862	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:57.325817108 CEST	53	64971	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:57.325937033 CEST	53	62300	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:58.250047922 CEST	56160	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:53:58.250634909 CEST	64165	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:53:58.256724119 CEST	53	56160	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:58.257327080 CEST	53	64165	1.1.1.1	192.168.2.5
Oct 2, 2024 06:53:58.320348024 CEST	53	55209	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:01.643081903 CEST	52243	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:01.643290043 CEST	55576	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:01.693389893 CEST	53	52243	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:01.693991899 CEST	53	55576	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:01.703679085 CEST	53	58931	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:04.457494974 CEST	53	61826	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:07.400993109 CEST	58257	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:07.401082039 CEST	65236	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:07.407636881 CEST	53	65236	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:07.407696009 CEST	53	58257	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:08.638639927 CEST	60033	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:08.638781071 CEST	50723	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:08.645370007 CEST	53	60033	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:08.645874023 CEST	53	50723	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:15.285085917 CEST	53	60134	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:27.101417065 CEST	53	55113	162.159.36.2	192.168.2.5
Oct 2, 2024 06:54:27.621125937 CEST	58911	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:27.628066063 CEST	53	58911	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:38.799885988 CEST	61452	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:54:38.807784081 CEST	53	61452	1.1.1.1	192.168.2.5
Oct 2, 2024 06:54:54.146775007 CEST	53	49473	1.1.1.1	192.168.2.5
Oct 2, 2024 06:55:01.654387951 CEST	51381	53	192.168.2.5	1.1.1.1
Oct 2, 2024 06:55:01.688903093 CEST	53	51381	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:53:57.318526030 CEST	192.168.2.5	1.1.1.1	0x8153	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:57.318795919 CEST	192.168.2.5	1.1.1.1	0x6b62	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 06:53:58.250047922 CEST	192.168.2.5	1.1.1.1	0xe31f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.250634909 CEST	192.168.2.5	1.1.1.1	0xf82a	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 06:54:01.643081903 CEST	192.168.2.5	1.1.1.1	0x7ccc	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:01.643290043 CEST	192.168.2.5	1.1.1.1	0xf0b5	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 06:54:07.400993109 CEST	192.168.2.5	1.1.1.1	0x8e3b	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:07.401082039 CEST	192.168.2.5	1.1.1.1	0xa0d9	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 06:54:08.638639927 CEST	192.168.2.5	1.1.1.1	0x2172	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:08.638781071 CEST	192.168.2.5	1.1.1.1	0x62ca	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 06:54:27.621125937 CEST	192.168.2.5	1.1.1.1	0xc762	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 06:54:38.799885988 CEST	192.168.2.5	1.1.1.1	0xcf31	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:55:01.654387951 CEST	192.168.2.5	1.1.1.1	0x23a8	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:53:57.325134039 CEST	1.1.1.1	192.168.2.5	0x8153	No error (0)	youtube.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:57.325817108 CEST	1.1.1.1	192.168.2.5	0x6b62	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.256724119 CEST	1.1.1.1	192.168.2.5	0xe31f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:53:58.257327080 CEST	1.1.1.1	192.168.2.5	0xf82a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:53:58.257327080 CEST	1.1.1.1	192.168.2.5	0xf82a	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 06:54:01.693389893 CEST	1.1.1.1	192.168.2.5	0x7ccc	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:01.693991899 CEST	1.1.1.1	192.168.2.5	0xf0b5	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 06:54:07.407636881 CEST	1.1.1.1	192.168.2.5	0xa0d9	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:54:07.407696009 CEST	1.1.1.1	192.168.2.5	0x8e3b	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:54:07.407696009 CEST	1.1.1.1	192.168.2.5	0x8e3b	No error (0)	www3.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:08.645370007 CEST	1.1.1.1	192.168.2.5	0x2172	No error (0)	play.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:54:27.628066063 CEST	1.1.1.1	192.168.2.5	0xc762	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 06:54:38.807784081 CEST	1.1.1.1	192.168.2.5	0xcf31	No error (0)	play.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:55:01.688903093 CEST	1.1.1.1	192.168.2.5	0x23a8	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

fe3cr.delivery.mp.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.185.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:53:57 UTC	867	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:53:58 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 04:53:58 GMT Date: Wed, 02 Oct 2024 04:53:58 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:02 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 04:54:02 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=129108 Date: Wed, 02 Oct 2024 04:54:02 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:04 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 04:54:04 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=129050 Date: Wed, 02 Oct 2024 04:54:04 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 04:54:04 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49732	142.250.185.110	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:08 UTC	1253	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1743275230&timestamp=1727844846705 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:54:08 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-FXkScQoIcYVIJ6pDqKv4Lg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 04:54:08 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw15BikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-PD4s_b2QRu_Dr5glFJLym_MD4zJTWvJLOkMiU_NzEzLzk_Pzsztbg4tagstSjeyMDIxMDSyEjPwCK-wAAAEKIubw" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 46 58 6b 53 63 51 6f 49 63 59 56 49 4a 36 70 44 71 4b 76 34 4c 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="FXkScQoIcYVIJ6pDqKv4Lg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 04:54:08 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49735	216.58.206.46	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:54:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49736	216.58.206.46	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:09 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:54:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49740	216.58.206.46	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:10 UTC	1140	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:54:10 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 38 34 37 39 34 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844847948",null,null,null
2024-10-02 04:54:10 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=E1XGFk-KbQwPiFW0J6g5GZ2mYHi0VK5ISHmiic5I6IoRhOgDj3IQeFOyf42JQ6ZSz-HO7a4ZnTmFHkVuVrky_7qacQhiCRKXRcN3nOkolKzxIPi7Nb_0TpSUKBolE4Jve3z8EL_2MhQg4v95nwrewapYddfx0EyETNYKmNukRJVVe6aOrw; expires=Thu, 03-Apr-2025 04:54:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 04:54:10 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49742	216.58.206.46	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:10 UTC	1140	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:54:10 UTC	507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 38 34 38 30 30 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844848008",null,null,null
2024-10-02 04:54:10 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=X6Gm0XeH7alFikPjSLQ-9Wht35UyUmcSDRjAWPo450ZHv2-6siHHTslxbJxkmxr47sS9yzilzIYeJwJD_hmtTztdkVnze5JqKkmyNKhGxDR7qKT9oYKCNKm9nTtleyk20eGbXQ2VPVkEOXppxiG4fbBKIoWJrJ821QScqqtLdOoRdQWc7aE; expires=Thu, 03-Apr-2025 04:54:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 04:54:10 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49715	142.250.185.132	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:11 UTC	1230	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=X6Gm0XeH7alFikPjSLQ-9Wht35UyUmcSDRjAWPo450ZHv2-6siHHTslxbJxkmxr47sS9yzilzIYeJwJD_hmtTztdkVnze5JqKkmyNKhGxDR7qKT9oYKCNKm9nTtleyk20eGbXQ2VPVkEOXppxiG4fbBKIoWJrJ821QScqqtLdOoRdQWc7aE
2024-10-02 04:54:11 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 04:45:04 GMT Expires: Thu, 10 Oct 2024 04:45:04 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 547 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 04:54:11 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 04:54:11 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 04:54:11 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 04:54:11 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 04:54:11 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49747	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:54:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 2128e3e4-97d0-48ce-8d77-9e83b92cfd8c MS-RequestId: aa759c73-c945-45e9-b975-bbb4583a417f MS-CV: FmiY+fFaykSgqOcL.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:54:11 GMT Connection: close Content-Length: 24490
2024-10-02 04:54:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 04:54:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49755	216.58.206.46	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:17 UTC	1315	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=X6Gm0XeH7alFikPjSLQ-9Wht35UyUmcSDRjAWPo450ZHv2-6siHHTslxbJxkmxr47sS9yzilzIYeJwJD_hmtTztdkVnze5JqKkmyNKhGxDR7qKT9oYKCNKm9nTtleyk20eGbXQ2VPVkEOXppxiG4fbBKIoWJrJ821QScqqtLdOoRdQWc7aE
2024-10-02 04:54:17 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 34 34 38 34 35 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727844845000",null,null,null,
2024-10-02 04:54:17 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI; expires=Thu, 03-Apr-2025 04:54:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:17 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 04:54:17 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:17 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	65370	40.69.42.241	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:28 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-10-02 04:54:28 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:54:27 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	65371	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:29 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-10-02 04:54:29 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: F8Z+P5nuuEiwyTa6.0 MS-RequestId: eb07a40b-3327-4041-90f1-8efb3efbc71a MS-CorrelationId: 1e7dcd9f-8dac-48e8-9209-fe6b86cefb81 X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:54:28 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	65372	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:31 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:54:31 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b5716ab0-9740-4852-9001-d05fae6b34ef MS-RequestId: 12ef8162-a3ad-42e0-935b-c2b4a3efc84b MS-CV: Br8N6bMrDkayPKor.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:54:31 GMT Connection: close Content-Length: 24490
2024-10-02 04:54:31 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 04:54:31 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	65373	4.175.87.197	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:32 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:54:33 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: ee6ed548-c197-4459-a469-0e53bed12610 MS-RequestId: d0aecbb1-5599-4482-815c-a1f2d0af9d07 MS-CV: VxGXFgc1tUSiuV6q.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:54:32 GMT Connection: close Content-Length: 30005
2024-10-02 04:54:33 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 04:54:33 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	65374	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:39 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1349 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:54:39 UTC	1349	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 38 37 38 31 30 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844878109",null,null,null
2024-10-02 04:54:39 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:39 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:39 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	65375	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:39 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1239 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:54:39 UTC	1239	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 38 37 38 31 34 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844878141",null,null,null
2024-10-02 04:54:39 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:39 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:39 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	65376	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:54:41 UTC	1305	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 863 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:54:41 UTC	863	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 04:54:41 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:54:41 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:54:41 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:54:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	55429	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:55:09 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1193 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:55:09 UTC	1193	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 39 30 38 32 33 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844908235",null,null,null
2024-10-02 04:55:09 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:55:09 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:55:09 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:55:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	55430	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:55:09 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1225 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:55:09 UTC	1225	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 39 30 38 34 39 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844908495",null,null,null
2024-10-02 04:55:10 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:55:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:55:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:55:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	55434	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:55:40 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1381 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:55:40 UTC	1381	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 39 33 38 34 37 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844938479",null,null,null
2024-10-02 04:55:40 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:55:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:55:40 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:55:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	55435	142.250.186.174	443	7224	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:55:42 UTC	1346	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1302 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mbNxVRZDJZiPpVK8JIPdywcip3YmSsMEIH2qAGTYdZFtA0oomHwywQrMNwdFEIIjQdjVgJ0kdBMKfkzgs_r77KrxA0YbS_b3kgoLRNlGkQ9JJfX5Dvp1xcB4dDolzVBHEapVnQ9dMg6XY1FOwWL1Maa4gEzMKYYoNP-ZFn78RmpjHccVKu5F_DC57OI
2024-10-02 04:55:42 UTC	1302	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 34 34 39 34 31 31 39 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727844941197",null,null,null
2024-10-02 04:55:42 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 04:55:42 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 04:55:42 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 04:55:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:53:53
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x450000
File size:	918'528 bytes
MD5 hash:	10F2301F8B97C23422086BD3C40200DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:53:53
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd50000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:53:53
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:53:54
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	00:53:56
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	00:54:07
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:54:08
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=2172,i,2599626556490026948,17595553873914899486,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1586
Total number of Limit Nodes:	65

Executed Functions

Function 004542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0045430D

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

GetCurrentProcess.KERNEL32(?,004ECB64,00000000,?,?), ref: 00454422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00454429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00454454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00454466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00454474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0045447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004544A0

Strings

kernel32.dll, xrefs: 0045444F
|O, xrefs: 004936F8
GetNativeSystemInfo, xrefs: 00454460

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 959a05911e8203511571b9cdb0bac9a692c6a4848dcc758ae86540ac2a936365
Instruction ID: babe8a42e6f413c8375601808576abb9e8e0803e2490286b0998542110977039
Opcode Fuzzy Hash: 959a05911e8203511571b9cdb0bac9a692c6a4848dcc758ae86540ac2a936365
Instruction Fuzzy Hash: 05A1F862909AD0CFCB31CB697C841977FE66F77345B145CAAD44097722D228094FEB2E

Function 004542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004550AA,?,?,00000000,00000000), ref: 004542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004550AA,?,?,00000000,00000000), ref: 004542C9
LoadResource.KERNEL32(?,00000000,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20), ref: 004935BE
SizeofResource.KERNEL32(?,00000000,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20), ref: 004935D3
LockResource.KERNEL32(004550AA,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20,?), ref: 004935E6

Strings

SCRIPT, xrefs: 004542BF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 70d6f82660b5fa3f85cf1038757dc770429d5e110491014777d943d30d36a19a
Instruction ID: 75ed67754c6c604d31e45b43c9c53b8b12214b266b346f5da3e90256e1edca32
Opcode Fuzzy Hash: 70d6f82660b5fa3f85cf1038757dc770429d5e110491014777d943d30d36a19a
Instruction Fuzzy Hash: 0511CE70600301BFDB218B65DC88F277BB9EFC5B96F2041AAF903CA291DB71DC068665

Function 00492BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00452B6B

Part of subcall function 00453A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00521418,?,00452E7F,?,?,?,00000000), ref: 00453A78

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00512224), ref: 00492C10
ShellExecuteW.SHELL32(00000000,?,?,00512224), ref: 00492C17

Strings

runas, xrefs: 00492C0B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d1547f5448312328d77da71292a12e852a3188576b480973fa5bba7baa7405bd
Instruction ID: f64566410f8ea76675a4be1f4b43f367cc6257d259289fc73f5fb63cd177a1bb
Opcode Fuzzy Hash: d1547f5448312328d77da71292a12e852a3188576b480973fa5bba7baa7405bd
Instruction Fuzzy Hash: 1C11EB31104345AACB14FF21D9919AE7BA5AFA2747F44042FFC46020A3DF78994EC75A

Function 004DA67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 004DA6BA

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Process32NextW.KERNEL32(00000000,?), ref: 004DA79C
CloseHandle.KERNELBASE(00000000), ref: 004DA7AB

Part of subcall function 0046CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00493303,?), ref: 0046CE8A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: b691be5e00d94b7a5a288012eefbd537297bd4d9ff9dcc96bb5f769a5113ba30
Instruction ID: 4478ea259b1a0eb969ebefd218f50d2d234e6a33aae6f16197952c481868f590
Opcode Fuzzy Hash: b691be5e00d94b7a5a288012eefbd537297bd4d9ff9dcc96bb5f769a5113ba30
Instruction Fuzzy Hash: B6515171508340AFD710EF25C885E6BBBE8FF89758F40492EF98597252EB34D908CB96

Function 004BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00495222), ref: 004BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 004BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 004BDBEE
FindClose.KERNEL32(00000000), ref: 004BDBFA

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f572ec6a6af1ec7d641e2995c03cc61b68073f9cd961d24c1a5e8ff3ca892f18
Instruction ID: f54d74e09a39eb7098b7938a4a7c708cd0d454235fcd07612b4443e16b771aa1
Opcode Fuzzy Hash: f572ec6a6af1ec7d641e2995c03cc61b68073f9cd961d24c1a5e8ff3ca892f18
Instruction Fuzzy Hash: 27F0A030C109105782206B78AC8E8AB7B7C9F01334B144793F936C21E1FBB45D5686AE

Function 00474CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000,?,004828E9), ref: 00474D09
TerminateProcess.KERNEL32(00000000,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000,?,004828E9), ref: 00474D10
ExitProcess.KERNEL32 ref: 00474D22

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a5b0d848b6d6f24bbbd69dc1890deb46f65ec6a1930addb5de1de63a03a870a7
Instruction ID: f9ac48711cc89c216f23b9ee7c5db876e3f388eef9f0a453737d4d70674d6f2f
Opcode Fuzzy Hash: a5b0d848b6d6f24bbbd69dc1890deb46f65ec6a1930addb5de1de63a03a870a7
Instruction Fuzzy Hash: A2E0BF31000188AFCF21AF55DD99A993B69EB81785B118429FC599A223DB39DD52CB48

Function 0045BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#R, xrefs: 004A07CE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#R
API String ID: 3964851224-2424108795
Opcode ID: 3e2553245ebddd5ce4896c1c450391866d174c49bcb62234ae929a2ea989b12d
Instruction ID: abc149ceb21e22572eb5a364cb2c206103e634605bb3cb6e437ec7c0c02eecdd
Opcode Fuzzy Hash: 3e2553245ebddd5ce4896c1c450391866d174c49bcb62234ae929a2ea989b12d
Instruction Fuzzy Hash: 0AA25C746083019FD710DF15C480B2BBBE1BF99304F14896EE89A9B352D779EC49CB9A

Function 004DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 004DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DB1D4
_wcslen.LIBCMT ref: 004DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DB236
_wcslen.LIBCMT ref: 004DB332

Part of subcall function 004C05A7: GetStdHandle.KERNEL32(000000F6), ref: 004C05C6

_wcslen.LIBCMT ref: 004DB34B
_wcslen.LIBCMT ref: 004DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004DB3B6
GetLastError.KERNEL32(00000000), ref: 004DB407
CloseHandle.KERNEL32(?), ref: 004DB439
CloseHandle.KERNEL32(00000000), ref: 004DB44A
CloseHandle.KERNEL32(00000000), ref: 004DB45C
CloseHandle.KERNEL32(00000000), ref: 004DB46E
CloseHandle.KERNEL32(?), ref: 004DB4E3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c0d0d5355ae160396bdd587a7150b75ccf026e27ee63172db55c99d24d9d0f36
Instruction ID: 1223fe317e36cd8a32e96894f930c76ef53b35b83cc548d323f274e47701be3a
Opcode Fuzzy Hash: c0d0d5355ae160396bdd587a7150b75ccf026e27ee63172db55c99d24d9d0f36
Instruction Fuzzy Hash: 69F17931504240DFC715EF25C891A6ABBE0EF85318F15855FE8958B3A2DB39EC05CB9A

Function 0045D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0045D807
timeGetTime.WINMM ref: 0045DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045DB28
TranslateMessage.USER32(?), ref: 0045DB7B
DispatchMessageW.USER32(?), ref: 0045DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045DB9F
Sleep.KERNELBASE(0000000A), ref: 0045DBB1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2e0349e964dcade04ceed5e62a0c26b47fc4d7089606bab3c195e9d775a39f78
Instruction ID: 5980e07657dc114a6b6143f1586959ae71397f788b64b2575bacb261495b16e1
Opcode Fuzzy Hash: 2e0349e964dcade04ceed5e62a0c26b47fc4d7089606bab3c195e9d775a39f78
Instruction Fuzzy Hash: 6342F370A04241DFD734CF25C884BABB7A1BF56305F14451FE856873A2D7B8E849DB8A

Function 00452CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00452D07
RegisterClassExW.USER32(00000030), ref: 00452D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00452D42
InitCommonControlsEx.COMCTL32(?), ref: 00452D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00452D6F
LoadIconW.USER32(000000A9), ref: 00452D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00452D94

Strings

+, xrefs: 00452CF0
AutoIt v3 GUI, xrefs: 00452D23
0, xrefs: 00452CE9
TaskbarCreated, xrefs: 00452D37

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 463af00f0d8c18ee1c456aa3683d0cbcc8a1d9b1ff42be713a645beb3481d670
Instruction ID: 08a2d57615731d76dc1c9b0d1d903e2b97c2b75c2ff148221c1dc60556150d29
Opcode Fuzzy Hash: 463af00f0d8c18ee1c456aa3683d0cbcc8a1d9b1ff42be713a645beb3481d670
Instruction Fuzzy Hash: 5E21F7B1901349AFDB10DFA4EC89BDEBBB4FB19701F00812AF511AA2A0D7B50546DF99

Function 0049065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0049039A: CreateFileW.KERNELBASE(00000000,00000000,?,00490704,?,?,00000000,?,00490704,00000000,0000000C), ref: 004903B7

GetLastError.KERNEL32 ref: 0049076F
__dosmaperr.LIBCMT ref: 00490776
GetFileType.KERNELBASE(00000000), ref: 00490782
GetLastError.KERNEL32 ref: 0049078C
__dosmaperr.LIBCMT ref: 00490795
CloseHandle.KERNEL32(00000000), ref: 004907B5
CloseHandle.KERNEL32(?), ref: 004908FF
GetLastError.KERNEL32 ref: 00490931
__dosmaperr.LIBCMT ref: 00490938

Strings

H, xrefs: 004908BD

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: af282b47550ed7f352f6e64701acbcb583d790c52155a3869c27289e2231030d
Instruction ID: dfa2e89df4b69bac3fa26ed0e1969bd96c321a3133d136d2bc8529c79230d3b8
Opcode Fuzzy Hash: af282b47550ed7f352f6e64701acbcb583d790c52155a3869c27289e2231030d
Instruction Fuzzy Hash: ABA12732A001048FDF29EF68D8917AE7FA0AB46324F14416EF8159B3D2D7399C17DB99

Function 0045344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00453A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00521418,?,00452E7F,?,?,?,00000000), ref: 00453A78

Part of subcall function 00453357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00453379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0045356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0049318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004931CE
RegCloseKey.ADVAPI32(?), ref: 00493210
_wcslen.LIBCMT ref: 00493277
_wcslen.LIBCMT ref: 00493286

Strings

\, xrefs: 0049328C
Include, xrefs: 00493184, 004931C5
\Include\, xrefs: 00453527
Software\AutoIt v3\AutoIt, xrefs: 00453560

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4787ad1ca579117cc4c73dd96494dff993292c67d87ad12d8df9a177925c98fd
Instruction ID: 9e985ed61b641c7ead6cb54fa2a3443744b40e0c07aac146d53caef695313082
Opcode Fuzzy Hash: 4787ad1ca579117cc4c73dd96494dff993292c67d87ad12d8df9a177925c98fd
Instruction Fuzzy Hash: 7D71A271404300AEC714DF66EC8196BBBE8FFA6345F50082FF94587161EB389A4DCB5A

Function 00452B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00452B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00452B9D
LoadIconW.USER32(00000063), ref: 00452BB3
LoadIconW.USER32(000000A4), ref: 00452BC5
LoadIconW.USER32(000000A2), ref: 00452BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00452BEF
RegisterClassExW.USER32(?), ref: 00452C40

Part of subcall function 00452CD4: GetSysColorBrush.USER32(0000000F), ref: 00452D07
Part of subcall function 00452CD4: RegisterClassExW.USER32(00000030), ref: 00452D31
Part of subcall function 00452CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00452D42
Part of subcall function 00452CD4: InitCommonControlsEx.COMCTL32(?), ref: 00452D5F
Part of subcall function 00452CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00452D6F
Part of subcall function 00452CD4: LoadIconW.USER32(000000A9), ref: 00452D85
Part of subcall function 00452CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00452D94

Strings

AutoIt v3, xrefs: 00452C2F
#, xrefs: 00452C16
0, xrefs: 00452C0F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6f2bb169402da565ff5b4824348857a83772fccae544e9ef5fa34f83f117c5fd
Instruction ID: bbe770da247e8ab765be7760bb19ae07f899debc41133c7f5c59f942ee3ea077
Opcode Fuzzy Hash: 6f2bb169402da565ff5b4824348857a83772fccae544e9ef5fa34f83f117c5fd
Instruction Fuzzy Hash: B2216070D00754ABCB20DF95EC84AAA7FB5FF39B51F00042AE500A6261D3B5054AEF8C

Function 0045B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045BB4E

Strings

p#R, xrefs: 004A024F
p%R, xrefs: 0045BB32
x#R, xrefs: 004A0168
p#R, xrefs: 004A0263
p#R, xrefs: 0045BA72
p%R, xrefs: 0045B8DC
x#R, xrefs: 004A0207
p#R, xrefs: 0045BB6B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#R$p#R$p#R$p#R$p%R$p%R$x#R$x#R
API String ID: 1385522511-3327339328
Opcode ID: bb5454833a6754df7fbfbfb6c2e61036757f131a8dca790e7b0db3f72abfcfdb
Instruction ID: 48c34529fc222ab3d0f06bb8e80433b5bba247e60ee34224d2c712e69376c51e
Opcode Fuzzy Hash: bb5454833a6754df7fbfbfb6c2e61036757f131a8dca790e7b0db3f72abfcfdb
Instruction Fuzzy Hash: A132CE74A00209AFCB20CF54C894ABEB7B5EF55305F14805BED05AB352D77CAD4ACB9A

Function 00453170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0045316A,?,?), ref: 004531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0045316A,?,?), ref: 00453204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00453227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0045316A,?,?), ref: 00453232
CreatePopupMenu.USER32 ref: 00453246
PostQuitMessage.USER32(00000000), ref: 00453267

Strings

TaskbarCreated, xrefs: 0045322D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b9cbcbe8ee3623b8c0cbaec0b709ca800f375e21867b16f037cc22d5cbfe3e7a
Instruction ID: 2e9e445818c933befdf3cbbd8faf241046543153f75236d5f89c6358da241ee6
Opcode Fuzzy Hash: b9cbcbe8ee3623b8c0cbaec0b709ca800f375e21867b16f037cc22d5cbfe3e7a
Instruction Fuzzy Hash: 20413C31200A44B6DF245F789D8977B3A55EB26387F04053BFD0285293CB7C9E4A976E

Function 00451410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00451459
CoUninitialize.COMBASE ref: 004514F8
UnregisterHotKey.USER32(?), ref: 004516DD
DestroyWindow.USER32(?), ref: 004924B9
FreeLibrary.KERNEL32(?), ref: 0049251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0049254B

Strings

close all, xrefs: 00451454

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 567e6c426522b0beccdc55b90c229978c71a54f9ce8a939332a84e0a9663e1b3
Instruction ID: dcb96fcdc5d4231dd291d8f14bbe37df9fcb39f433a703cfe25e8be97957300e
Opcode Fuzzy Hash: 567e6c426522b0beccdc55b90c229978c71a54f9ce8a939332a84e0a9663e1b3
Instruction Fuzzy Hash: E9D1BD31701212EFCB19EF15C594B29FBA0BF05315F1541AFE84A6B262DB38AC1ACF59

Function 00452C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00452C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00452CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00451CAD,?), ref: 00452CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00451CAD,?), ref: 00452CCF

Strings

AutoIt v3, xrefs: 00452C89, 00452C8E, 00452C8F
edit, xrefs: 00452CAC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c322a459154e2023331b41ba5cae26efdd608427491458ce4be9cf1917d9e86c
Instruction ID: 77ce28273410a2a23bae70a799f65388917272fbd7a0899a37fd4ebf9f721931
Opcode Fuzzy Hash: c322a459154e2023331b41ba5cae26efdd608427491458ce4be9cf1917d9e86c
Instruction Fuzzy Hash: D8F03AB55403D47AEB304713AC88E772EBEDBFBF51F01046AF900A61A0C6750846EAB8

Function 00453B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B83

Strings

Control Panel\Mouse, xrefs: 00453B3E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0799aed9cfb6e8a3db0299d0f0c9765f66eec20c0aefd290f15f7e6fd8cca84c
Instruction ID: c0f1b17a16642853538207c4c90912c435799b0c933145cfe96032cee888ed44
Opcode Fuzzy Hash: 0799aed9cfb6e8a3db0299d0f0c9765f66eec20c0aefd290f15f7e6fd8cca84c
Instruction Fuzzy Hash: 44113CB5510218FFDB20CFA5DC84EAFB7B8EF04786B10456AF805D7212D235AF459768

Function 00453923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004933A2

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00453A04

Strings

Line: , xrefs: 004933EB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8ba21cc2cef034992c936c5608b9ec9c5078df54a070a618b92ab4032903ae1c
Instruction ID: 562472130365bf0e86ae9b11a79810b69766e2e0060a534b3e6ad91e703bf383
Opcode Fuzzy Hash: 8ba21cc2cef034992c936c5608b9ec9c5078df54a070a618b92ab4032903ae1c
Instruction Fuzzy Hash: F631A5B1408304AAC721EF20D845ADB77D8AF6175AF00492FF99983192DB789A5DC7CA

Function 00452DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00492C8C

Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2

Part of subcall function 00452DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00452DC4

Strings

`eQ, xrefs: 00492C85
X, xrefs: 00492C5A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eQ
API String ID: 779396738-2904587998
Opcode ID: 205e8b6377a105ec0b3764a539352365e3c0d6c0a22f379875c480bbd2262247
Instruction ID: a3580d9681f84e20467c58091f6e55e0b5d8aaaf6a99f5c909ac9f153a438ac3
Opcode Fuzzy Hash: 205e8b6377a105ec0b3764a539352365e3c0d6c0a22f379875c480bbd2262247
Instruction Fuzzy Hash: 8B21C671A00258AFDF01DF95C8457EE7BF9AF49309F00405BE805AB242DBF8598DCB69

Function 0046FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00470668

Part of subcall function 004732A4: RaiseException.KERNEL32(?,?,?,0047068A,?,00521444,?,?,?,?,?,?,0047068A,00451129,00518738,00451129), ref: 00473304

__CxxThrowException@8.LIBVCRUNTIME ref: 00470685

Strings

Unknown exception, xrefs: 00470692

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: dc8dee81f49ce8fd17bcd1b0438ed9be92ada9b5d8fff9127f86f8566e498967
Instruction ID: 5220ed482f5407b49d237c55b34df547e405ade97d102bdbfef022d020e60072
Opcode Fuzzy Hash: dc8dee81f49ce8fd17bcd1b0438ed9be92ada9b5d8fff9127f86f8566e498967
Instruction Fuzzy Hash: 41F0283490020DB3CB10FA66E856CEE7B6C5F40314B60C17BB81C916D2FF39EA69C589

Function 004510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00451BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00451BF4
Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00451BFC
Part of subcall function 00451BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00451C07
Part of subcall function 00451BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00451C12
Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00451C1A
Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00451C22

Part of subcall function 00451B4A: RegisterWindowMessageW.USER32(00000004,?,004512C4), ref: 00451BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0045136A
OleInitialize.OLE32 ref: 00451388
CloseHandle.KERNEL32(00000000,00000000), ref: 004924AB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d1699818e87d312855ce56bf6d601c99715676c024e49e7e00d9e0b109ba0386
Instruction ID: af38272d358302648d61d3e55cb7377ba26c97f0af2ec5e3653785c545e02c8c
Opcode Fuzzy Hash: d1699818e87d312855ce56bf6d601c99715676c024e49e7e00d9e0b109ba0386
Instruction Fuzzy Hash: FE71A4B4A01A448E87A4DF7AA9856573AE0BFBA34571481BED40AC7272E734440BEF4D

Function 004BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00453923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00453A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004BC259
KillTimer.USER32(?,00000001,?,?), ref: 004BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004BC270

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 80ccbce31762704d809449023795cb45acb94794961bf476a78ded2564dc738f
Instruction ID: 5e6f32e07e5137f610692a43991ba34cfe116407b2e372f371ad7251a35df908
Opcode Fuzzy Hash: 80ccbce31762704d809449023795cb45acb94794961bf476a78ded2564dc738f
Instruction Fuzzy Hash: A631B670904344AFEB36CF6488D57E7BBEC9F16304F0004DED59997241C7785A85CB69

Function 004886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004885CC,?,00518CC8,0000000C), ref: 00488704
GetLastError.KERNEL32(?,004885CC,?,00518CC8,0000000C), ref: 0048870E
__dosmaperr.LIBCMT ref: 00488739

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 71a1f6f2b23dc79ec7bc7eb4a5563044adddc391bc2dae2b8d7242c37dc129a5
Instruction ID: 356a3c93e517c8c4d6692af7eea8809ab1eaf1fb0300c6988788959f09af4ad1
Opcode Fuzzy Hash: 71a1f6f2b23dc79ec7bc7eb4a5563044adddc391bc2dae2b8d7242c37dc129a5
Instruction Fuzzy Hash: D0016B32A0526016C2307234688577F27594F92778F78091FFC14AB2D3EEAD9C82839C

Function 0045DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0045DB7B
DispatchMessageW.USER32(?), ref: 0045DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045DB9F
Sleep.KERNELBASE(0000000A), ref: 0045DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 004A1CC9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ebfc4e0b21b48cce5640dd66c65eda77cc87f6d4cafa811cd18ba6eab439d684
Instruction ID: 195a102cc8fcab77d00340c4ea1adcb7afee5911d8563c62276b500840354e73
Opcode Fuzzy Hash: ebfc4e0b21b48cce5640dd66c65eda77cc87f6d4cafa811cd18ba6eab439d684
Instruction Fuzzy Hash: 97F054305043819BE730C7608CC5F9B73A9EF55311F10452AE619C71D1DB34A4898B1D

Function 00461310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004617F6

Strings

CALL, xrefs: 004617C6

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5dd18c7028f91f4e35a4d68e649925a3adbc52755375812fba2e85f26a6c569c
Instruction ID: 10e9fc102b3395bf0d17a109ab266fdf0b4f2ec4b8cde5f4ddcce9dae578dd79
Opcode Fuzzy Hash: 5dd18c7028f91f4e35a4d68e649925a3adbc52755375812fba2e85f26a6c569c
Instruction Fuzzy Hash: 85228E746083419FC714DF15C480A2ABBF1BF96318F18895EF4968B362E739E845CB9B

Function 00453837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00453908

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 95e534285d6c30a57fbb1856aa1cb269a7f67bbe4a953456d1f14b77794f2ce1
Instruction ID: a194c76246cf44fbb20a047d36fa0d4a6740170c72302b8bb6b697c6b90993b6
Opcode Fuzzy Hash: 95e534285d6c30a57fbb1856aa1cb269a7f67bbe4a953456d1f14b77794f2ce1
Instruction Fuzzy Hash: 3A31ABB05047009FD721EF24C884797BBE8FF6934AF00082EF99987241E775AA48CB5A

Function 0046F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0046F661

Part of subcall function 0045D730: GetInputState.USER32 ref: 0045D807

Sleep.KERNEL32(00000000), ref: 004AF2DE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d2e00ea8ebb1773f55f4b146aa6587bbf05879f8591d74315f60169862fb449a
Instruction ID: 3daee4119fc1d656d5dc3714a105318142d12106074b4d4fa3648abbcb5be30e
Opcode Fuzzy Hash: d2e00ea8ebb1773f55f4b146aa6587bbf05879f8591d74315f60169862fb449a
Instruction Fuzzy Hash: DEF08231240205AFD314EF75D485B5AB7E4FF49765F00006AE859C7262EB70A805CF99

Function 00454ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00454E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E9C
Part of subcall function 00454E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00454EAE
Part of subcall function 00454E90: FreeLibrary.KERNEL32(00000000,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EFD

Part of subcall function 00454E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E62
Part of subcall function 00454E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00454E74
Part of subcall function 00454E59: FreeLibrary.KERNEL32(00000000,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E87

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7f1896725e6cd02e8f20360d7be145f0021db3132b12ec6796fc009369927c22
Instruction ID: 7559ef5f32c1462cb249920424995085a12c2fae82e09cea11d34877515ad268
Opcode Fuzzy Hash: 7f1896725e6cd02e8f20360d7be145f0021db3132b12ec6796fc009369927c22
Instruction Fuzzy Hash: B011EB32600205ABCF14BF66DC53FAD77A59F8071AF10842FF942AE1C2DE789A499758

Function 00488402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00488440

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5ee07bfb49be4b8602c249d6db26edc0cd981134cc95ac10a3e076f3ce2d367d
Instruction ID: 707ff21fd283d62cfe94f01590eb69c08462ab8dc3b1f63ce7ea99ed47bfc7df
Opcode Fuzzy Hash: 5ee07bfb49be4b8602c249d6db26edc0cd981134cc95ac10a3e076f3ce2d367d
Instruction Fuzzy Hash: 5F11067690410AAFCB15DF58E94199E7BF5EF48314F14446AF808AB312EB31DA118BA9

Function 0047E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 2115e8e3ed21d20f8846de019e3ba887a20b6de552d706a6a26ecddba9e2821b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 79F0F932511A1096C6313A678D05BDB379C9F66338F508B5FF429922D2DB7C940286AD

Function 00483820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e74e59de187e105619b91972772a3327fd729fd0791e10f123f8721425958373
Instruction ID: d63d6ae5dcf8e424601dc8d0ea21ae216a44ab9bf72d0364f4a5f26442a11b8a
Opcode Fuzzy Hash: e74e59de187e105619b91972772a3327fd729fd0791e10f123f8721425958373
Instruction Fuzzy Hash: ADE0A02120122457D6313F679C05BAF36C9AF82FB2B150827B818A66C1DB299D0283AD

Function 00454F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454F6D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3dbda6d2fd20ab124da9210a4402cae117ed61e0d31c4b18bf1dea6d1e9ad21e
Instruction ID: d43e15464fd6c0844f66e967ed6465676f66fe105be293bc9392816981101b8b
Opcode Fuzzy Hash: 3dbda6d2fd20ab124da9210a4402cae117ed61e0d31c4b18bf1dea6d1e9ad21e
Instruction Fuzzy Hash: C6F03072105751CFDB349F69D490852B7F4AF5431E320897FE5DA8A612C7359888DF18

Function 004530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0045314E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1a3d6e975c885f104cbb4bc389e0964c81c7e237963c575ce84e9f0527e3f0a1
Instruction ID: a71678b22f6ff5a728db4469e928b966556f471d5e7e8f12776dee780b14ac12
Opcode Fuzzy Hash: 1a3d6e975c885f104cbb4bc389e0964c81c7e237963c575ce84e9f0527e3f0a1
Instruction Fuzzy Hash: D4F0A7709003489FE762DF24DC457D67BBCAB2170CF0000E9A54896282DB74478DCF49

Function 00452DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00452DC4

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ec3b41116186914c3087b6de08ba59543dda6686ca0dddcc43b85e5d74396574
Instruction ID: b3813515f1348c2ac89e49333c25e93f327d61641e06e34ca18d75f3502414e1
Opcode Fuzzy Hash: ec3b41116186914c3087b6de08ba59543dda6686ca0dddcc43b85e5d74396574
Instruction Fuzzy Hash: AFE0CD72A001245BCB1092599C46FEA77DDDFC8794F0500B6FD09D7259D974AD848554

Function 00452B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00453837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00453908

Part of subcall function 0045D730: GetInputState.USER32 ref: 0045D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00452B6B

Part of subcall function 004530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0045314E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: de88e33a61a507842cf307a2689cedfe51525e2ff8af7e874b49bcd1c7852f81
Instruction ID: 311c8405c699b76d09896de26d6ee01353f826dbfb62dba082d4cd8c6736256f
Opcode Fuzzy Hash: de88e33a61a507842cf307a2689cedfe51525e2ff8af7e874b49bcd1c7852f81
Instruction Fuzzy Hash: B3E0262270024402CA08BF32A8524AEA7999FE239BF40143FF846831A3CE2C494E825D

Function 0049039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00490704,?,?,00000000,?,00490704,00000000,0000000C), ref: 004903B7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b841b5f9841a6a31ff49aa2214b9c9b803d76fe03a5d33a6fba41f71652427e1
Instruction ID: 41e867569942dd4c2af2621085654f525b1d514d630f7fd60b34fc218c90a9e6
Opcode Fuzzy Hash: b841b5f9841a6a31ff49aa2214b9c9b803d76fe03a5d33a6fba41f71652427e1
Instruction Fuzzy Hash: 50D06C3204014DBBDF028F84DD46EDA3FAAFB48714F014010BE1856021C732E822AB95

Function 00451CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00451CBC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: edd1eab9dda2fca5371daeff0941b5cffc8723caa7c4f548af05ec2db33ca9bb
Instruction ID: 63f487b4642e5a227f0ba0cab41c4bf1dc08bf45c4ab9a9faacce5b4714f74c4
Opcode Fuzzy Hash: edd1eab9dda2fca5371daeff0941b5cffc8723caa7c4f548af05ec2db33ca9bb
Instruction Fuzzy Hash: 3DC09B35380344BFF2248780BCCAF117755A77DB01F048401F6095D5E3C3A11415FB54

Non-executed Functions

Function 004E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E96C9
SendMessageW.USER32 ref: 004E96F2
GetKeyState.USER32(00000011), ref: 004E978B
GetKeyState.USER32(00000009), ref: 004E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004E97AE
GetKeyState.USER32(00000010), ref: 004E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E97E9
SendMessageW.USER32 ref: 004E9810
SendMessageW.USER32(?,00001030,?,004E7E95), ref: 004E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004E9941
SetCapture.USER32(?), ref: 004E994A
ClientToScreen.USER32(?,?), ref: 004E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004E99D6
ReleaseCapture.USER32 ref: 004E99E1
GetCursorPos.USER32(?), ref: 004E9A19
ScreenToClient.USER32(?,?), ref: 004E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004E9A80
SendMessageW.USER32 ref: 004E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004E9AEB
SendMessageW.USER32 ref: 004E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004E9B4A
GetCursorPos.USER32(?), ref: 004E9B68
ScreenToClient.USER32(?,?), ref: 004E9B75
GetParent.USER32(?), ref: 004E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004E9BFA
SendMessageW.USER32 ref: 004E9C2B
ClientToScreen.USER32(?,?), ref: 004E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004E9CDE
SendMessageW.USER32 ref: 004E9D01
ClientToScreen.USER32(?,?), ref: 004E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004E9D82

Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952

GetWindowLongW.USER32(?,000000F0), ref: 004E9E05

Strings

@GUI_DRAGID, xrefs: 004E997D
F, xrefs: 004E9D07
p#R, xrefs: 004E9990

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#R
API String ID: 3429851547-1852618069
Opcode ID: 3d9488a3f4dfaf2c87bd0ed0c58f60e2569490239354f7a57e17164979a33dfe
Instruction ID: 6538b8c0ee4d959630ecdef6f938506b7e74973bb2340ced3714eaecb106ac75
Opcode Fuzzy Hash: 3d9488a3f4dfaf2c87bd0ed0c58f60e2569490239354f7a57e17164979a33dfe
Instruction Fuzzy Hash: 90428D70204281AFD724CF26CC84AABBBF5FF49315F14061AFA598B2E1D735AC55CB4A

Function 004E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004E4A7E
IsMenu.USER32(?), ref: 004E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004E4B20
GetWindowLongW.USER32(?,000000F0), ref: 004E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004E4C82
wsprintfW.USER32 ref: 004E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004E4D5A

Strings

%d/%02d/%02d, xrefs: 004E4CA8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4ac5ea1c437d714a547b635f2c763247be8366105c454415cc7ef0aa886cb687
Instruction ID: d2aab39d6b9359b45c2c0192ea6f817cd7a890055db4f8923af366142a917a3c
Opcode Fuzzy Hash: 4ac5ea1c437d714a547b635f2c763247be8366105c454415cc7ef0aa886cb687
Instruction Fuzzy Hash: BC12F171900294ABEB248F36CC89FAF7BB8EF85711F10412AF915DB2D1D7789941CB58

Function 0046F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0046F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004AF474
IsIconic.USER32(00000000), ref: 004AF47D
ShowWindow.USER32(00000000,00000009), ref: 004AF48A
SetForegroundWindow.USER32(00000000), ref: 004AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004AF4AA
GetCurrentThreadId.KERNEL32 ref: 004AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 004AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 004AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004AF4DE
SetForegroundWindow.USER32(00000000), ref: 004AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF4F6
keybd_event.USER32(00000012,00000000), ref: 004AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF50B
keybd_event.USER32(00000012,00000000), ref: 004AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF519
keybd_event.USER32(00000012,00000000), ref: 004AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF528
keybd_event.USER32(00000012,00000000), ref: 004AF52D
SetForegroundWindow.USER32(00000000), ref: 004AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 004AF557

Strings

Shell_TrayWnd, xrefs: 004AF46F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a19bf409e1061dac75d92f49d337adf17e5d91df4d94d51bc02860ec355c0458
Instruction ID: 2d6782e2a977b79f100172cc7694a7294bb5cc5dff254114117685ae812fd992
Opcode Fuzzy Hash: a19bf409e1061dac75d92f49d337adf17e5d91df4d94d51bc02860ec355c0458
Instruction Fuzzy Hash: 47315371A40258BFEB206BF55C89FBF7E6DEB45B50F100036FA00EA1D2C6B45D01AA69

Function 004B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
Part of subcall function 004B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
Part of subcall function 004B16C3: GetLastError.KERNEL32 ref: 004B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004B12A8
CloseHandle.KERNEL32(?), ref: 004B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004B12D1
GetProcessWindowStation.USER32 ref: 004B12EA
SetProcessWindowStation.USER32(00000000), ref: 004B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004B1310

Part of subcall function 004B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B11FC), ref: 004B10D4
Part of subcall function 004B10BF: CloseHandle.KERNEL32(?,?,004B11FC), ref: 004B10E9

Strings

default, xrefs: 004B130B
ZQ, xrefs: 004B1392
winsta0, xrefs: 004B12CC
, xrefs: 004B125A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZQ
API String ID: 22674027-4020664062
Opcode ID: a4653ddfde6cc617b38fe9e7f8bc59f6de4a28e4c8bb6578687efb4dbb981acc
Instruction ID: 80187f8af2834ab8bfdff2b17d24ae08020c9ca974ba784fa4a042a3121954f1
Opcode Fuzzy Hash: a4653ddfde6cc617b38fe9e7f8bc59f6de4a28e4c8bb6578687efb4dbb981acc
Instruction Fuzzy Hash: 0481A071900249AFDF209FA8DC99FEF7BB9EF04704F14412AF910A62A1D7398945CB29

Function 004B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
Part of subcall function 004B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
Part of subcall function 004B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
Part of subcall function 004B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B0C00
GetLengthSid.ADVAPI32(?), ref: 004B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B0C6D
GetLengthSid.ADVAPI32(?), ref: 004B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004B0C8C
HeapAlloc.KERNEL32(00000000), ref: 004B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B0CB4
CopySid.ADVAPI32(00000000), ref: 004B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D45
HeapFree.KERNEL32(00000000), ref: 004B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D55
HeapFree.KERNEL32(00000000), ref: 004B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D65
HeapFree.KERNEL32(00000000), ref: 004B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004B0D78
HeapFree.KERNEL32(00000000), ref: 004B0D7F

Part of subcall function 004B1193: GetProcessHeap.KERNEL32(00000008,004B0BB1,?,00000000,?,004B0BB1,?), ref: 004B11A1
Part of subcall function 004B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004B0BB1,?), ref: 004B11A8
Part of subcall function 004B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004B0BB1,?), ref: 004B11B7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8051f232667d2b1c636ba609bf5125dc004926a9468042665580faad421abac5
Instruction ID: 84c0d3e561b2faf048b98a153b64ff1e2ae3372fd14ba70e1a0b2b96bff2002a
Opcode Fuzzy Hash: 8051f232667d2b1c636ba609bf5125dc004926a9468042665580faad421abac5
Instruction Fuzzy Hash: 66715E7190020AABDF10DFE4DC84BEFBBBCBF05301F044526E915AA291D779AA06CB74

Function 004CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ECC08), ref: 004CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004CEB37
GetClipboardData.USER32(0000000D), ref: 004CEB43
CloseClipboard.USER32 ref: 004CEB4F
GlobalLock.KERNEL32(00000000), ref: 004CEB87
CloseClipboard.USER32 ref: 004CEB91
GlobalUnlock.KERNEL32(00000000), ref: 004CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004CEBC9
GetClipboardData.USER32(00000001), ref: 004CEBD1
GlobalLock.KERNEL32(00000000), ref: 004CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004CEC38
GetClipboardData.USER32(0000000F), ref: 004CEC44
GlobalLock.KERNEL32(00000000), ref: 004CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004CECD2
GlobalUnlock.KERNEL32(00000000), ref: 004CECF3
CountClipboardFormats.USER32 ref: 004CED14
CloseClipboard.USER32 ref: 004CED59

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6ccc6664e9cc555a3de724c3eaac5b2c5c1b7802a52325c7f06ba5e22825c892
Instruction ID: 4387b5da88312b5bc649576bb63ed40e9cff92d0fa32ab8da935c6df2dbf6b74
Opcode Fuzzy Hash: 6ccc6664e9cc555a3de724c3eaac5b2c5c1b7802a52325c7f06ba5e22825c892
Instruction Fuzzy Hash: F861C4381043419FD310EF26C8C5F3A77A4AF84714F14456EF9568B2A2DB39ED0ACB6A

Function 004C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004C69BE
FindClose.KERNEL32(00000000), ref: 004C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004C6A75

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 004C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004C6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004C6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 004C6B32
%4d, xrefs: 004C6BB1
%03d, xrefs: 004C6DA2
%02d, xrefs: 004C6C00, 004C6C0A, 004C6C5A, 004C6CAA, 004C6CFA, 004C6D4A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 54c95e31f828f37ce52f3c51f47112846ecb92f70a4ce19f120f3404ee0a4a2c
Instruction ID: 27f761ee1ba1b5a94de91e4efc8cf90f5fdf66fa3f25dc4024fc98497436eade
Opcode Fuzzy Hash: 54c95e31f828f37ce52f3c51f47112846ecb92f70a4ce19f120f3404ee0a4a2c
Instruction Fuzzy Hash: B7D177725083409FC310EBA5D881EAFB7ECAF88705F44491EF985C7192EB79DA48C766

Function 004C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004C9663
GetFileAttributesW.KERNEL32(?), ref: 004C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004C96D3
FindClose.KERNEL32(00000000), ref: 004C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004C974A
SetCurrentDirectoryW.KERNEL32(00516B7C), ref: 004C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004C9772
FindClose.KERNEL32(00000000), ref: 004C977F
FindClose.KERNEL32(00000000), ref: 004C978F

Strings

*.*, xrefs: 004C96F5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2da0c42a2aa24b5aeb801155dcaf83df27203e075a3a98be7b2d31bd36c6f14b
Instruction ID: b0c6c012d73af37984bd83260711e276165f766bd91c498298abc9f667b3d525
Opcode Fuzzy Hash: 2da0c42a2aa24b5aeb801155dcaf83df27203e075a3a98be7b2d31bd36c6f14b
Instruction Fuzzy Hash: 5631D236642249BADB10AFB5DC8DFDF37ACAF09320F1040AAE914E6191DB78DD418A1C

Function 004C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004C9819
FindClose.KERNEL32(00000000), ref: 004C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004C9890
SetCurrentDirectoryW.KERNEL32(00516B7C), ref: 004C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004C98B8
FindClose.KERNEL32(00000000), ref: 004C98C5
FindClose.KERNEL32(00000000), ref: 004C98D5

Part of subcall function 004BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004BDB00

Strings

*.*, xrefs: 004C983B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: bc0e12e4bc506031b917bc60dd507191afe94ca3711b947f148b9bb2a5b12ff8
Instruction ID: b1f67eab47be401b424b2b7f473c20a2d37474f0fb22a4fb3a211bdc455b2807
Opcode Fuzzy Hash: bc0e12e4bc506031b917bc60dd507191afe94ca3711b947f148b9bb2a5b12ff8
Instruction Fuzzy Hash: 8931F2365002597ADB10BFA5DC88FDF37ACAF06320F1040ABE814A7191DB79DE858A2C

Function 004DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 004DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 004DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 004DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004DC382
RegCloseKey.ADVAPI32(00000000), ref: 004DC38F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5f4dcb72046a81b91d4af7a4046ea12456d17115a9ebb4ca4365f20379462470
Instruction ID: 49619d0bc48cbc56ae8fdfeba79bc21584fed6753fd5ce769ff483885d44b831
Opcode Fuzzy Hash: 5f4dcb72046a81b91d4af7a4046ea12456d17115a9ebb4ca4365f20379462470
Instruction Fuzzy Hash: 74024B71604201AFC714CF24C8D5A2ABBE5EF49318F19849EE849CB3A2D735ED46CB56

Function 004C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004C8395

Strings

*.*, xrefs: 004C839B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4fd44a17f2c10b618b28f81fb897cc6337bf34a4acf5f3deb6db43d4f22587fd
Instruction ID: 24318ae7799a4ef7fe442e119dca1f2e9a672b918253c76d4005aa9f359a05fc
Opcode Fuzzy Hash: 4fd44a17f2c10b618b28f81fb897cc6337bf34a4acf5f3deb6db43d4f22587fd
Instruction Fuzzy Hash: B6616C765043459FC710DF61C884E9FB3E8FF89314F04482EE98987251EB39E945CB9A

Function 004BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2

Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A

FindFirstFileW.KERNEL32(?,?), ref: 004BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004BD1DD
MoveFileW.KERNEL32(?,?), ref: 004BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004BD237

Part of subcall function 004BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004BD21C,?,?), ref: 004BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004BD253
FindClose.KERNEL32(00000000), ref: 004BD264

Strings

\*.*, xrefs: 004BD0CD, 004BD0D6, 004BD0EB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a6067fd7dec854e12ed6d632972fcf051b8fecf7e6f6463d4aef17f709cb10f7
Instruction ID: 3e122dfedb31334ef68147101656a71b0f0b9b09b716c92871cef17196c734df
Opcode Fuzzy Hash: a6067fd7dec854e12ed6d632972fcf051b8fecf7e6f6463d4aef17f709cb10f7
Instruction Fuzzy Hash: 39618F31C0114DABCF05EBE1C9929EEB7B5AF14349F2445AAE80177192EB385F09CB69

Function 004CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004CED91
EmptyClipboard.USER32 ref: 004CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004CEDAC
CloseClipboard.USER32 ref: 004CEEA3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 059725b64950bf021acdca1b536b90dd46f8b684641803bf3f0c54e36c2b2fc3
Instruction ID: d1346c0e0acd8338594eab01eeccdd8b9ba67261ac9c6b35e22311df28789b76
Opcode Fuzzy Hash: 059725b64950bf021acdca1b536b90dd46f8b684641803bf3f0c54e36c2b2fc3
Instruction Fuzzy Hash: 6141AF356046519FD720DF26D888F1ABBA1EF44358F14C0AEE8168F762C739EC42CB98

Function 004BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
Part of subcall function 004B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
Part of subcall function 004B16C3: GetLastError.KERNEL32 ref: 004B174A

ExitWindowsEx.USER32(?,00000000), ref: 004BE932

Strings

, xrefs: 004BE920
SeShutdownPrivilege, xrefs: 004BE902
@, xrefs: 004BE925
, xrefs: 004BE95C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a48248148d6e9c16577045fd73f6d6d86b56b81a45c31634856517656fb3deeb
Instruction ID: b4beff9fbbc8cd6841ef76631241402f34a9831dabd9342a5a74fa07c82e3b1b
Opcode Fuzzy Hash: a48248148d6e9c16577045fd73f6d6d86b56b81a45c31634856517656fb3deeb
Instruction Fuzzy Hash: 2101F2B2610210EFEB1826B69CC6BFB729CA744744F140823F812E21E2D5A85C4982BC

Function 004D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004D1276
WSAGetLastError.WSOCK32 ref: 004D1283
bind.WSOCK32(00000000,?,00000010), ref: 004D12BA
WSAGetLastError.WSOCK32 ref: 004D12C5
closesocket.WSOCK32(00000000), ref: 004D12F4
listen.WSOCK32(00000000,00000005), ref: 004D1303
WSAGetLastError.WSOCK32 ref: 004D130D
closesocket.WSOCK32(00000000), ref: 004D133C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 786129bf9f6506b58d3906e5842413769ab6c311ae6ee4b62470894708045bf1
Instruction ID: a3915bad7cf9833c258eb960c62c1bc0afff38cbc6c6ff8785776dfca34f0dc6
Opcode Fuzzy Hash: 786129bf9f6506b58d3906e5842413769ab6c311ae6ee4b62470894708045bf1
Instruction Fuzzy Hash: 82418F31600140AFD714DF64C5D8A2AB7E5AB46318F18819ADC569F3A3C735EC86CBA5

Function 0048B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0048B9D4
_free.LIBCMT ref: 0048B9F8
_free.LIBCMT ref: 0048BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004F3700), ref: 0048BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0052121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0048BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00521270,000000FF,?,0000003F,00000000,?), ref: 0048BC36
_free.LIBCMT ref: 0048BD4B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e9a4ecb37ff634713e335d1665525cf2cb1b0d0dba7d9b7ba209c5db164da2bf
Instruction ID: 2b094e6269eb7d0d45fd527acfc3bf529c746b27cb8b503ab9e77ae99de153fb
Opcode Fuzzy Hash: e9a4ecb37ff634713e335d1665525cf2cb1b0d0dba7d9b7ba209c5db164da2bf
Instruction Fuzzy Hash: 0CC12775900205AFCB24BF6A8C41AAF7BA8EF52310F14496FE894D7351E7389E42D7D8

Function 004BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2

Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A

FindFirstFileW.KERNEL32(?,?), ref: 004BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004BD481
FindClose.KERNEL32(00000000), ref: 004BD498
FindClose.KERNEL32(00000000), ref: 004BD4A1

Strings

\*.*, xrefs: 004BD3F2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 67cc07190778d36c05f0cca82288c13167ce3e71e12224f1f55c4b199a5a4bbb
Instruction ID: d5987a9379fa5960cb842f7100376f2716bdd8c533847bdad5d5cb8dcf0319d1
Opcode Fuzzy Hash: 67cc07190778d36c05f0cca82288c13167ce3e71e12224f1f55c4b199a5a4bbb
Instruction Fuzzy Hash: D23170714083859BC300EF65C8918EF77E8AE91355F444E6EF8D153192EB38AA0EC76B

Function 0048E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0048E645

Strings

1#QNAN, xrefs: 0048F84B
1#INF, xrefs: 0048F852
1#IND, xrefs: 0048F83D
1#SNAN, xrefs: 0048F844

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d1ba7cd62918483682d09dfabc59e96375a026ddc4cd2884dd434d88e276674c
Instruction ID: 815fb4e7633b8cca60b4f2264874134f13a2b7c65984eb99243734d0433edc06
Opcode Fuzzy Hash: d1ba7cd62918483682d09dfabc59e96375a026ddc4cd2884dd434d88e276674c
Instruction Fuzzy Hash: 56C25971E086288FDB25EE298D407EEB7B5EB49304F1445EBD80DE7241E778AE858F44

Function 004C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C64DC
CoInitialize.OLE32(00000000), ref: 004C6639
CoCreateInstance.OLE32(004EFCF8,00000000,00000001,004EFB68,?), ref: 004C6650
CoUninitialize.OLE32 ref: 004C68D4

Strings

.lnk, xrefs: 004C64BA, 004C6524, 004C65E0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3618ef24df7f27b3ae591ec9c02dc6785b385368b5678201b266cdc5421f0dec
Instruction ID: 9f877de162f785338e9c69d8b1e00bdd33e72ef4ea7e949d772b20c08f8e3d82
Opcode Fuzzy Hash: 3618ef24df7f27b3ae591ec9c02dc6785b385368b5678201b266cdc5421f0dec
Instruction Fuzzy Hash: 40D15971508201AFC304EF25D881E6BB7E8FF94709F10896EF5958B292DB34ED09CB96

Function 004D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004D22E8

Part of subcall function 004CE4EC: GetWindowRect.USER32(?,?), ref: 004CE504

GetDesktopWindow.USER32 ref: 004D2312
GetWindowRect.USER32(00000000), ref: 004D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004D2355
GetCursorPos.USER32(?), ref: 004D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004D23DF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a1c4eb75bdb8e2d49fd739a529a799ceaf89dc15c342c243ca8a6f7dddf81cd6
Instruction ID: e6881f73ec7408a9e2c7c14fb214e33c02f5fce132b3aa562c0e36488d0006c8
Opcode Fuzzy Hash: a1c4eb75bdb8e2d49fd739a529a799ceaf89dc15c342c243ca8a6f7dddf81cd6
Instruction Fuzzy Hash: AB310272504355AFC720DF25C884F9BB7A9FF84314F00091EF8849B281DB78EA09CB9A

Function 004C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004C9C8B

Part of subcall function 004C3874: GetInputState.USER32 ref: 004C38CB
Part of subcall function 004C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004C9C75

Strings

*.*, xrefs: 004C9B5D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 935404e2a7e6e4db83a18bd99e439a6ca6695b4228184b5f3dd25660738352ed
Instruction ID: 1f058b6455b111dd0a328d3bca25fff00b1735fde9d7dae1869dada64c36e7ce
Opcode Fuzzy Hash: 935404e2a7e6e4db83a18bd99e439a6ca6695b4228184b5f3dd25660738352ed
Instruction Fuzzy Hash: 6B418F7590020AAFDF54DF65C889FEE7BB4FF05305F20405AE805A6292EB349E45CF69

Function 0046997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00469A4E
GetSysColor.USER32(0000000F), ref: 00469B23
SetBkColor.GDI32(?,00000000), ref: 00469B36

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fda0c397a84fd6492c0a41f17c4a0787b58092da558911d99bd325ab6eb0c796
Instruction ID: 1f000331fa9d12f98963a93040c2b4222866c70dc036a97788bb46c7a1893cb8
Opcode Fuzzy Hash: fda0c397a84fd6492c0a41f17c4a0787b58092da558911d99bd325ab6eb0c796
Instruction Fuzzy Hash: A6A117B0108580BEE7349A6D8C88E7B269DEB63314B14011BF502C67D1EABDAD06D67F

Function 004D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
Part of subcall function 004D304E: _wcslen.LIBCMT ref: 004D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004D185D
WSAGetLastError.WSOCK32 ref: 004D1884
bind.WSOCK32(00000000,?,00000010), ref: 004D18DB
WSAGetLastError.WSOCK32 ref: 004D18E6
closesocket.WSOCK32(00000000), ref: 004D1915

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a6a89a9df82c376a510829b38e5e6464c453593a51c3b0c01c817d5c0798d2b2
Instruction ID: c504b71af215019a84f39de83c8f925bd485388370e650010a5ee8bdae8234e5
Opcode Fuzzy Hash: a6a89a9df82c376a510829b38e5e6464c453593a51c3b0c01c817d5c0798d2b2
Instruction Fuzzy Hash: 96518071A00200AFDB10AF25C896F2A77A5AB44718F44809EFD455F3D3D679AD42CBA5

Function 004E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004E1CC0
IsWindowEnabled.USER32 ref: 004E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004E1CDB
IsIconic.USER32 ref: 004E1CE9
IsZoomed.USER32 ref: 004E1CF7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6424ae258a04788f034aa8de83e32221e61845cf141ed7e5d7fb009088df6048
Instruction ID: 22b387c9d6a35847c6419ecce0f7cafe4c4c2f14fdeda35485754a39762d0f1d
Opcode Fuzzy Hash: 6424ae258a04788f034aa8de83e32221e61845cf141ed7e5d7fb009088df6048
Instruction Fuzzy Hash: 732196317802915FD7208F27D884F677B95EF95316B29806EE845CB362C779EC42CB98

Function 00458060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0045843C
VUUU, xrefs: 004583E8
VUUU, xrefs: 004583FA
ERCP, xrefs: 0045813C
VUUU, xrefs: 00495DF0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0d138df9ea90d600622cea0f5711fc1b8bc2b61053358e3e0716eb8144ddef94
Instruction ID: f862c67b88b28e5e8b2c30bdf8d863a75ededd44d48131c20af6706ba047171a
Opcode Fuzzy Hash: 0d138df9ea90d600622cea0f5711fc1b8bc2b61053358e3e0716eb8144ddef94
Instruction Fuzzy Hash: 01A29F70A0021ACBDF24CF58C9407AEBBB1BF54311F2581ABEC15A7385EB389D85CB59

Function 004B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004B82AA

Strings

|, xrefs: 004B82DA
(, xrefs: 004B82F0
tbQ, xrefs: 004B84F4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbQ$|
API String ID: 1659193697-2774208020
Opcode ID: 5b5698b6dc22029968087399fad0ee5c1743809a982428451cfd8699e509fc97
Instruction ID: c256d3132885fb308cfdea7765ee7ec31ddfd10c2048ae9d2d8133e3238e3272
Opcode Fuzzy Hash: 5b5698b6dc22029968087399fad0ee5c1743809a982428451cfd8699e509fc97
Instruction Fuzzy Hash: 37323674A00605DFCB28CF19C480AAAB7F4FF48710B15C56EE89ADB7A1EB74E941CB54

Function 004BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004BAAAC
SetKeyboardState.USER32(00000080), ref: 004BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004BAB88

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eab32102fc29236008734e89fc73b982abd4c74b631ea53566a70a0de6dfe420
Instruction ID: 0e519b7d83a4f4b05f3c984b1f33d55694eb54cb8c98dce1680c40207474bd19
Opcode Fuzzy Hash: eab32102fc29236008734e89fc73b982abd4c74b631ea53566a70a0de6dfe420
Instruction Fuzzy Hash: 91312930A44248AEEF34CA658C45BFB7BA6AB44310F04421BE2A1562D1D37CADA5C77B

Function 004CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004CCE89
GetLastError.KERNEL32(?,00000000), ref: 004CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004CCEFE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e95b11b581806d979017d8937b1ac090cfa18b4d39801dbe98dce74119cb8b01
Instruction ID: 617e27a0f6706aa0903e0c6364165c8b537ddc68df5a27a01cabca9a97dd6ba9
Opcode Fuzzy Hash: e95b11b581806d979017d8937b1ac090cfa18b4d39801dbe98dce74119cb8b01
Instruction Fuzzy Hash: 7621DE759003059BD7608F65C9C4FAB77F8EB01308F10442FE64A92291E738EA058B58

Function 004C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004C5D17
FindClose.KERNEL32(?), ref: 004C5D5F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: beddeb692158922cdb7fde927a9b9155efe34aa537cbb84c7e8c185fc4b87f0d
Instruction ID: 04c3d0c39263459284edb4ef9da3d32ee683030c5e890aa1f68b24f87cac43a3
Opcode Fuzzy Hash: beddeb692158922cdb7fde927a9b9155efe34aa537cbb84c7e8c185fc4b87f0d
Instruction Fuzzy Hash: 66518638604B019FC714CF28C484E9AB7E4FF49318F14855EE99A8B3A2DB38F845CB95

Function 00482622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0048271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00482724
UnhandledExceptionFilter.KERNEL32(?), ref: 00482731

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8aea1b046e30cee5e26f6d20d4671b0821b2626faad9a576ede1451ef2aeadfd
Instruction ID: a5227cf22b9ab560ca275ed9301575db8fca5386729932af519bd849305673a9
Opcode Fuzzy Hash: 8aea1b046e30cee5e26f6d20d4671b0821b2626faad9a576ede1451ef2aeadfd
Instruction Fuzzy Hash: 8D31D574901318ABCB21DF65DD887DDBBB8AF18310F5081EAE80CA7261E7749F818F48

Function 004C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004C5238
SetErrorMode.KERNEL32(00000000), ref: 004C52A1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 149afddddc86ff98a4b8a978671259127ef661e5739a771a26386b69a0d9d1f7
Instruction ID: 1d6979d34ac79007ddbe416469fcd9b671341204eb29cf74df7257ca00e37f3e
Opcode Fuzzy Hash: 149afddddc86ff98a4b8a978671259127ef661e5739a771a26386b69a0d9d1f7
Instruction Fuzzy Hash: F7313C75A00618DFDB00DF55D8C4EADBBB4FF48318F048099E8459B392DB35E85ACB54

Function 004B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0046FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00470668
Part of subcall function 0046FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00470685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
GetLastError.KERNEL32 ref: 004B174A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a0c3b8282d9ea444fef22f6844126e79f7ec01916a3a7c33db7ac62c3faea94e
Instruction ID: ab28642a01b312d06c09fa8163aacd62ec948dfba69d581fadbfe912e97bfa70
Opcode Fuzzy Hash: a0c3b8282d9ea444fef22f6844126e79f7ec01916a3a7c33db7ac62c3faea94e
Instruction Fuzzy Hash: F611CEB2400304AFD718AF54ECC6DABB7BDEB05714B20852FE49657291EB74BC428B68

Function 004BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004BD650

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f883b30cbe13319560d67f2b213b45d54c295eb979ce1f04e918bd1d3e92eef9
Instruction ID: 5fc6abce670f6f6e0bf66d8608e840f9003e9e1d6b0c021d2215df0c8d794ab6
Opcode Fuzzy Hash: f883b30cbe13319560d67f2b213b45d54c295eb979ce1f04e918bd1d3e92eef9
Instruction Fuzzy Hash: 7E113C75E05228BBDB108F959C85FEFBFBCEB45B50F108166F904E7290D6704A058BA5

Function 004B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004B16A1
FreeSid.ADVAPI32(?), ref: 004B16B1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b83ef654a11ec12e08017b3a7cbd0e2962ce88de23a299dba9aa889977d34b1c
Instruction ID: bfcfd1735af130839b02aee69a98b3d76578395e7e22dc71cd6ed49a6d21bab7
Opcode Fuzzy Hash: b83ef654a11ec12e08017b3a7cbd0e2962ce88de23a299dba9aa889977d34b1c
Instruction Fuzzy Hash: 08F0F471950309FBDB00DFE49CC9EAEBBBCEB08604F504965E501E6191E774AA448A64

Function 0048C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0048C36C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 1ddf7032a9bb2c0d605364ec54812c75b240d4765874501401ec5e1fddb19152
Instruction ID: 77b8f328018d6b81e9a4cf2f8058ae73016412cf1e3bbe0a458fffdb13318410
Opcode Fuzzy Hash: 1ddf7032a9bb2c0d605364ec54812c75b240d4765874501401ec5e1fddb19152
Instruction Fuzzy Hash: 2D414D719002196FCB20AFB9DC88DBF7778EB84314F1045AEFD05D7280E6749D818B64

Function 004AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004AD28C

Strings

X64, xrefs: 004AD2A8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ef58e262db6b42523ca38eb136556779169e70ea65ae7b29e20d1391a69204a2
Instruction ID: 38a02683005b6fad86efcc5526d707101bced3cf29c8a6f2ec08110d2ad555b2
Opcode Fuzzy Hash: ef58e262db6b42523ca38eb136556779169e70ea65ae7b29e20d1391a69204a2
Instruction Fuzzy Hash: A9D0C9B5C0111DEACB90DB90DCC8DD9B37CBB14305F100192F506A2000D734954A8F15

Function 0047CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a91280f4d64d1a561b3fd4324d96c29428118030e2b793674ba4fbb1294686d2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D3021B71E002199FDF24CFA9D9806EEBBF1EF48314F25816ED919E7384D734AA418B84

Function 0045CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 004A0C40
p#R, xrefs: 0045CF7F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#R
API String ID: 0-3568732149
Opcode ID: 4b4212fec2215e79e139dea8ff6ef239dc50e9943f814374b9c6e86ca328adc9
Instruction ID: 95c4485017989d3eb09f139a3f60a188164a449e7f300c69e8db58cfa629a4fa
Opcode Fuzzy Hash: 4b4212fec2215e79e139dea8ff6ef239dc50e9943f814374b9c6e86ca328adc9
Instruction Fuzzy Hash: A2326971900318DFDF14DF90C881AEEB7B5BF15309F14405AE806AB392D779AE4ACB69

Function 004C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004C6918
FindClose.KERNEL32(00000000), ref: 004C6961

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fd0582cf7fbd510cd5e9b5a4d802d6a9ef08ed045336f02e78f76c7166b79bdf
Instruction ID: 820f1265eb48a3ecb5780cbc9cd9fda24c5a2d2898d631ac7d00e1f4365d3a10
Opcode Fuzzy Hash: fd0582cf7fbd510cd5e9b5a4d802d6a9ef08ed045336f02e78f76c7166b79bdf
Instruction Fuzzy Hash: FB11AF756042009FC710CF29D8C5A16BBE1EF84329F05C6AEE8698F3A2C734EC05CB95

Function 004C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004D4891,?,?,00000035,?), ref: 004C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004D4891,?,?,00000035,?), ref: 004C37F4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eb68cdc9d97fd19683d1a8d4a20762a43dc633fbd05ab113e40784ca0251376e
Instruction ID: 06e046305e33213ad93962533b0981f053a945e34968f74366b079f204a3d87f
Opcode Fuzzy Hash: eb68cdc9d97fd19683d1a8d4a20762a43dc633fbd05ab113e40784ca0251376e
Instruction Fuzzy Hash: 6CF05C716013182AD71017664C8CFEB7A5EDFC4761F00417AF505D2281C9604D04C6B4

Function 004BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 004BB270

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5f4384b2f0702e9f7f508d80bad38c70c63e81e76ea3b47dd19e25d840e17d46
Instruction ID: 1b9d8d7b4c789dfcc664a0667326b5bd74e28069826071bcdf18391074ba380e
Opcode Fuzzy Hash: 5f4384b2f0702e9f7f508d80bad38c70c63e81e76ea3b47dd19e25d840e17d46
Instruction Fuzzy Hash: 2DF01D7180428EABDB059FA1C845BEE7BB4FF04305F00805AF965A9192C379C6129FA8

Function 004B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B11FC), ref: 004B10D4
CloseHandle.KERNEL32(?,?,004B11FC), ref: 004B10E9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 298f63c9fd119ada93806f296871c75acd16cb7cd5fca4b113d22796d9ac6665
Instruction ID: 3cb0734448d63e247778ddff7dc0a4a81eff83d4746c5432c352243b5759396f
Opcode Fuzzy Hash: 298f63c9fd119ada93806f296871c75acd16cb7cd5fca4b113d22796d9ac6665
Instruction Fuzzy Hash: 8DE04F72004600AEE7252B51FC45E737BA9EB04314B10882EF8A6844B1EB626C90DB58

Function 0048676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00486766,?,?,00000008,?,?,0048FEFE,00000000), ref: 00486998

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 577bd86aef0dfe995eb20024f01df7fa844869b866d5c1e84d6cd48747c698df
Instruction ID: 2fde868bd7356e110fba211037cd49437d46ea3fd553c90ff60c4303780009bb
Opcode Fuzzy Hash: 577bd86aef0dfe995eb20024f01df7fa844869b866d5c1e84d6cd48747c698df
Instruction Fuzzy Hash: 0AB16D71510608DFD759DF28C48AB697BE0FF05364F268A59E899CF3A2C339D982CB44

Function 0046B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 004A851F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b7ad00bc63940771bbf034b3959412eafbd72252760e265c5da90d1b061be74e
Instruction ID: 997dc3dae4fb917fc90c876fc81eb281bca15e3f56e08eedb89e4d7a0ac7599c
Opcode Fuzzy Hash: b7ad00bc63940771bbf034b3959412eafbd72252760e265c5da90d1b061be74e
Instruction Fuzzy Hash: 5C125071A002299BDB14CF59C8806EEB7F5FF58710F14819BE849EB251EB389E81CF95

Function 004CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004CEABD

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 494583637a2cc9a91af67f989f90b8d97a200e218ed3c8ce24f83bddcd45da30
Instruction ID: e80af0ffd58daf2c1d1c4bb0e57a0ed52b69bc5b212050af92a1385664af0a4c
Opcode Fuzzy Hash: 494583637a2cc9a91af67f989f90b8d97a200e218ed3c8ce24f83bddcd45da30
Instruction Fuzzy Hash: 3CE012352002049FC710DF6AD844E5AB7D9AF58764F00841BFC45C7351D775A8458B95

Function 004709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004703EE), ref: 004709DA

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 14f2f45087164fef4636e445db1c7a784c245e6d949a85e1f479f93fa08c2feb
Instruction ID: f550c3b4988f1208fbb10dfbb77c4fe30e03dbf9f7e63b042924fcb0c6fbdd06
Opcode Fuzzy Hash: 14f2f45087164fef4636e445db1c7a784c245e6d949a85e1f479f93fa08c2feb
Instruction Fuzzy Hash:

Function 0047781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0047798B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c8863cd2f663eb224dd507b8df78637a8e69d5ccd62825792d97a74b30f427c6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B15155B160C60596EB346669C8497FF27898B02304F98C91BD98EC7382C60DDE02C39F

Function 004C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&R, xrefs: 004C2053

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: 0&R
API String ID: 0-2643562366
Opcode ID: b9755088737084218ffa247947b79c01f704498ec848a218b197dba007841f61
Instruction ID: 162542fd9920640220d2f62b1729e70b37e3493b265007cf05ecb3de5b0b3517
Opcode Fuzzy Hash: b9755088737084218ffa247947b79c01f704498ec848a218b197dba007841f61
Instruction Fuzzy Hash: 0621D5326206118BD728CE7AC92367A73E5AB64310F14862FE4A7C37D0DE79A904DB84

Function 00486DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e481f188fa4d5914befb2c10dec377dc67388b4f6111ef6c668b6d51554f6cd
Instruction ID: 32d511af3a033c0dac44003ffc30aaf2a6a18bcc469e20c37ee525a73dd2522f
Opcode Fuzzy Hash: 5e481f188fa4d5914befb2c10dec377dc67388b4f6111ef6c668b6d51554f6cd
Instruction Fuzzy Hash: A9321821D29F014DD723A634C93233AA649AFB73C5F25D737E815B5EA5EB69C4C38204

Function 0046CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee5b69e1a4612365e8699a8ea661a7f0b4ba5712a72660721a5278cb33754a3
Instruction ID: 92a61f670a4e173b30ce44cf73e8628fc4b21fd04f1012af3fda995fca16f242
Opcode Fuzzy Hash: cee5b69e1a4612365e8699a8ea661a7f0b4ba5712a72660721a5278cb33754a3
Instruction Fuzzy Hash: 3E322871A001158BDF64CF2DC4D06BE77A1EB67310F28816BD49A8B391E23CDD82DB5A

Function 00457920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c5eec661a40ec51e60276c59c10161ef5804a8692d771d4bb1ffe334daa12c
Instruction ID: fc70af1776c14a57baaef0b6c5301edf9ce4c9e18e981ba153c70ad8b2f8bb88
Opcode Fuzzy Hash: 23c5eec661a40ec51e60276c59c10161ef5804a8692d771d4bb1ffe334daa12c
Instruction Fuzzy Hash: D922D2B0A00609DFDF14CF65D941AAEB7F1FF44304F20453AE816A7292E73AAD19CB59

Function 004591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2901637a0de60735c41805049ffcfadcae0d8d38f450fe7ffc6fd7d4eb8897
Instruction ID: dc9fa1e866c4c154de479cfa947fc2aef93676aed21a66402e26f3697e1d5790
Opcode Fuzzy Hash: 1b2901637a0de60735c41805049ffcfadcae0d8d38f450fe7ffc6fd7d4eb8897
Instruction Fuzzy Hash: 3202D7B0E00105EBCF04DF55D881AAEBBB1FF44304F10856AE8569B391E739EE15CB99

Function 00489EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f53df44b4e649bff45a730d525c03487e3e23b628b664929fd78c4b88c83b4e
Instruction ID: 68621bcb52fcb4439ab8dec45d254599969a0052b1c74e256cf16f2363529091
Opcode Fuzzy Hash: 2f53df44b4e649bff45a730d525c03487e3e23b628b664929fd78c4b88c83b4e
Instruction Fuzzy Hash: 00B11420D2AF414DD7239A398831336B65CAFBB6D6F91D72BFC1674D22EB2185938144

Function 00471C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b0d57244c041d6103903de4bff69845e21772627e7babb274d1ef9a53eb6e396
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7B91B8721080A34EDB39423E85340BFFFE15A523A131A479FD4FACA2E1FE18D955D624

Function 004719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9a681ca2cb3c5d3946c34c14fade14d552293749611c48578645818f245ca216
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C591A7722090A30EDB29427D85740BFFFE14A923A1319879FD4FACA2E1FD18D655D624

Function 00477A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979cbf969df898c1c09f0f9d30af45ed980a5760caf275e7b6e8efecf2c6a8d7
Instruction ID: 8b4d60d3b533615589cd3e21cf6b4189ffc9ca26a78c728d7a12dd783ad6b1c0
Opcode Fuzzy Hash: 979cbf969df898c1c09f0f9d30af45ed980a5760caf275e7b6e8efecf2c6a8d7
Instruction Fuzzy Hash: ED61587124870596EA349A288995BFF3394DF41308FD0C91FE94ECB382D51DAE42C75E

Function 00477CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ccf875226729d7aaa7951bc1995f7b1d1a74edd6d49c6c038d25c1797ab736
Instruction ID: 9b5da4c3ea2a8aa136ab56f4591a2d82de1cba9d217556af96e5f80566c9ed06
Opcode Fuzzy Hash: 38ccf875226729d7aaa7951bc1995f7b1d1a74edd6d49c6c038d25c1797ab736
Instruction Fuzzy Hash: C4619A7124870962DA384A685895BFF23899F42748FD0CC5FE94ECB381E61E9D42C35E

Function 00471706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2f4c76082f05d94f110613cfda6e90d6a867d0ac66fb809a259581a229a4a780
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E981A9B25080A309DB2D423D85740BFFFE15A923A131A479FD4FACB2E1EE18C559D625

Function 004D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004D2B30
DeleteObject.GDI32(00000000), ref: 004D2B43
DestroyWindow.USER32 ref: 004D2B52
GetDesktopWindow.USER32 ref: 004D2B6D
GetWindowRect.USER32(00000000), ref: 004D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2CF8
GetClientRect.USER32(00000000,?), ref: 004D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D80
GlobalLock.KERNEL32(00000000), ref: 004D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D98
GlobalUnlock.KERNEL32(00000000), ref: 004D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2DA8
GlobalFree.KERNEL32(00000000), ref: 004D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004EFC38,00000000), ref: 004D2DDB
GlobalFree.KERNEL32(00000000), ref: 004D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D303F

Strings

AutoIt v3, xrefs: 004D2CF2
, xrefs: 004D2FC5
static, xrefs: 004D2D3A, 004D2E91
DISPLAY, xrefs: 004D2EA2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 958c8cf6c0a409aa28fb1cd5e20a2b07aa598db56f17b30d51e996182e6b84d4
Instruction ID: 17a6486f4471d2d702e20f0c67d2cbeb3a8b0ba58306d3f7e5ba75dddb9691a6
Opcode Fuzzy Hash: 958c8cf6c0a409aa28fb1cd5e20a2b07aa598db56f17b30d51e996182e6b84d4
Instruction Fuzzy Hash: 5E02CF71500208AFDB14CF64CD88EAF7BB9FF59315F00855AF915AB2A1DB74AD02CB68

Function 004E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004E712F
GetSysColorBrush.USER32(0000000F), ref: 004E7160
GetSysColor.USER32(0000000F), ref: 004E716C
SetBkColor.GDI32(?,000000FF), ref: 004E7186
SelectObject.GDI32(?,?), ref: 004E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004E71C0
GetSysColor.USER32(00000010), ref: 004E71C8
CreateSolidBrush.GDI32(00000000), ref: 004E71CF
FrameRect.USER32(?,?,00000000), ref: 004E71DE
DeleteObject.GDI32(00000000), ref: 004E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004E7230
FillRect.USER32(?,?,?), ref: 004E7262
GetWindowLongW.USER32(?,000000F0), ref: 004E7284

Part of subcall function 004E73E8: GetSysColor.USER32(00000012), ref: 004E7421
Part of subcall function 004E73E8: SetTextColor.GDI32(?,?), ref: 004E7425
Part of subcall function 004E73E8: GetSysColorBrush.USER32(0000000F), ref: 004E743B
Part of subcall function 004E73E8: GetSysColor.USER32(0000000F), ref: 004E7446
Part of subcall function 004E73E8: GetSysColor.USER32(00000011), ref: 004E7463
Part of subcall function 004E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004E7471
Part of subcall function 004E73E8: SelectObject.GDI32(?,00000000), ref: 004E7482
Part of subcall function 004E73E8: SetBkColor.GDI32(?,00000000), ref: 004E748B
Part of subcall function 004E73E8: SelectObject.GDI32(?,?), ref: 004E7498
Part of subcall function 004E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004E74B7
Part of subcall function 004E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004E74CE
Part of subcall function 004E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004E74DB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6c9ae1ce8b9d3f0673c801f51d52f644239e5576975704334a94b86e6c3219d6
Instruction ID: 57c1f21863b6beb65751bba55ca3325a1cfa0b06b2de23a6965cb2f5b671a61f
Opcode Fuzzy Hash: 6c9ae1ce8b9d3f0673c801f51d52f644239e5576975704334a94b86e6c3219d6
Instruction Fuzzy Hash: A3A1A371008351BFD7009F60DC88A6BBBA9FF49331F100A29FA629A1E2D735D946DF56

Function 00468D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00468E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 004A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004A6F43

Part of subcall function 00468F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00468BE8,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468FC5

SendMessageW.USER32(?,00001053), ref: 004A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 004A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 004A6FB7

Strings

0, xrefs: 004A6DCF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e47248e5b691411381ffcd42e94a2119a6324886eb6851ee78e3dc67da2b0789
Instruction ID: 9765572e8efea4ba28adc4620e72fd59b20c25bb3f8f7eb99513e97f0d6f0944
Opcode Fuzzy Hash: e47248e5b691411381ffcd42e94a2119a6324886eb6851ee78e3dc67da2b0789
Instruction Fuzzy Hash: B512BE30200651DFD725CF24C884BA7B7E5FF6A300F19456EF485CB261DB3AA892DB5A

Function 004D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004D2900
GetClientRect.USER32(00000000,?), ref: 004D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004D2964
GetStockObject.GDI32(00000011), ref: 004D2974
SelectObject.GDI32(00000000,00000000), ref: 004D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D2991
DeleteDC.GDI32(00000000), ref: 004D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 004D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004D2A77
GetStockObject.GDI32(00000011), ref: 004D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004D2A97

Strings

AutoIt v3, xrefs: 004D28F8
static, xrefs: 004D294F, 004D2A71
msctls_progress32, xrefs: 004D2A13
DISPLAY, xrefs: 004D295A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5edfafb65f9fa7523b83d42b1b560dbacac879ba7105203aadc216542b72f1b9
Instruction ID: 93c6cb1e18120059bb436f4b3e25393ffa60588ed9fb48486c1926f03900f92c
Opcode Fuzzy Hash: 5edfafb65f9fa7523b83d42b1b560dbacac879ba7105203aadc216542b72f1b9
Instruction Fuzzy Hash: 2BB19D71A00209AFEB24DF68CC85FAF7BA9EF15715F00451AF914EB291D774AD01CB98

Function 004C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004C4AED
GetDriveTypeW.KERNEL32(?,004ECB68,?,\\.\,004ECC08), ref: 004C4BCA
SetErrorMode.KERNEL32(00000000,004ECB68,?,\\.\,004ECC08), ref: 004C4D36

Strings

RAMDisk, xrefs: 004C4BF4
CDROM, xrefs: 004C4BFB
SSD, xrefs: 004C4C4A
SATA, xrefs: 004C4CD0
ATA, xrefs: 004C4C98
SSA, xrefs: 004C4CA6
iSCSI, xrefs: 004C4CC2
Virtual, xrefs: 004C4CE5
SAS, xrefs: 004C4CC9
Fixed, xrefs: 004C4C09
MMC, xrefs: 004C4CDE
FileBackedVirtual, xrefs: 004C4CEC
RAID, xrefs: 004C4CBB
Removable, xrefs: 004C4C10, 004C4C15
Unknown, xrefs: 004C4BED, 004C4C83
ATAPI, xrefs: 004C4C91
USB, xrefs: 004C4CB4
1394, xrefs: 004C4C9F
PhysicalDrive, xrefs: 004C4B76
\\.\, xrefs: 004C4B3F
Fibre, xrefs: 004C4CAD
Network, xrefs: 004C4C02
SCSI, xrefs: 004C4C8A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e56ca425107fbd1a630359f2bcca87d813c0321cb33f814412b0f1385f5d4748
Instruction ID: 20240f72474bf192d9cfa42737ef06470f38a669aa6f6a3bb3bf3679c1425043
Opcode Fuzzy Hash: e56ca425107fbd1a630359f2bcca87d813c0321cb33f814412b0f1385f5d4748
Instruction Fuzzy Hash: 5C61E838601105DBEB44DF14CBA1EA97BB0BB84344B21441FF8079B662DB3DED82DB5A

Function 004E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004E7421
SetTextColor.GDI32(?,?), ref: 004E7425
GetSysColorBrush.USER32(0000000F), ref: 004E743B
GetSysColor.USER32(0000000F), ref: 004E7446
CreateSolidBrush.GDI32(?), ref: 004E744B
GetSysColor.USER32(00000011), ref: 004E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004E7471
SelectObject.GDI32(?,00000000), ref: 004E7482
SetBkColor.GDI32(?,00000000), ref: 004E748B
SelectObject.GDI32(?,?), ref: 004E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004E7572
DrawFocusRect.USER32(?,?), ref: 004E757D
GetSysColor.USER32(00000011), ref: 004E758E
SetTextColor.GDI32(?,00000000), ref: 004E7596
DrawTextW.USER32(?,004E70F5,000000FF,?,00000000), ref: 004E75A8
SelectObject.GDI32(?,?), ref: 004E75BF
DeleteObject.GDI32(?), ref: 004E75CA
SelectObject.GDI32(?,?), ref: 004E75D0
DeleteObject.GDI32(?), ref: 004E75D5
SetTextColor.GDI32(?,?), ref: 004E75DB
SetBkColor.GDI32(?,?), ref: 004E75E5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e32e9e6e3b8b3d8e281dd6a6faf8a7aaa935cf1d03b57a61c9584d30a4309ad0
Instruction ID: 92f9aec080cd3a04f1d898f21ad5351977345985f6e1a6b3db10c8c3ec378f5a
Opcode Fuzzy Hash: e32e9e6e3b8b3d8e281dd6a6faf8a7aaa935cf1d03b57a61c9584d30a4309ad0
Instruction Fuzzy Hash: 2B618172900258BFDF009FA4DC88EAEBFB9EB08321F104125F911AB2A2D7749941DF94

Function 004E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004E1128
GetDesktopWindow.USER32 ref: 004E113D
GetWindowRect.USER32(00000000), ref: 004E1144
GetWindowLongW.USER32(?,000000F0), ref: 004E1199
DestroyWindow.USER32(?), ref: 004E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004E1245
IsWindowVisible.USER32(00000000), ref: 004E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004E12D0
GetWindowRect.USER32(00000000,?), ref: 004E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004E130E
GetMonitorInfoW.USER32(00000000,?), ref: 004E1328
CopyRect.USER32(?,?), ref: 004E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004E13AA

Strings

(, xrefs: 004E131B
tooltips_class32, xrefs: 004E11E6
0, xrefs: 004E10D3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: aca0f1eb3de59b2be138f15f8fc19ff66900fcf5b91338568cd873d4fce5ae61
Instruction ID: 09db6ec24870b08ecd865bc4cb48a961a9ab13884b1c9c5b963d0135c71da372
Opcode Fuzzy Hash: aca0f1eb3de59b2be138f15f8fc19ff66900fcf5b91338568cd873d4fce5ae61
Instruction Fuzzy Hash: 61B1AE71604380AFD704DF65C884B6BBBE4FF88345F00891EF9999B262C735E845CB99

Function 004E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004E02E5
_wcslen.LIBCMT ref: 004E031F
_wcslen.LIBCMT ref: 004E0389
_wcslen.LIBCMT ref: 004E03F1
_wcslen.LIBCMT ref: 004E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004E0504

Part of subcall function 0046F9F2: _wcslen.LIBCMT ref: 0046F9FD

Part of subcall function 004B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004B2258
Part of subcall function 004B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004B228A

Strings

DESELECT, xrefs: 004E059C
ISSELECTED, xrefs: 004E04DD
GETSELECTED, xrefs: 004E05E1
GETITEMCOUNT, xrefs: 004E0316, 004E0337
SELECTINVERT, xrefs: 004E057E
GETTEXT, xrefs: 004E03EC, 004E0407
SELECTALL, xrefs: 004E0515
FINDITEM, xrefs: 004E0627
GETSELECTEDCOUNT, xrefs: 004E0470, 004E048B
VIEWCHANGE, xrefs: 004E0675
SELECT, xrefs: 004E0548
GETSUBITEMCOUNT, xrefs: 004E0384, 004E039F
SELECTCLEAR, xrefs: 004E052D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e56536cbbaf86b2a0e644a80d4f84a74ab6abc6de46b0f2e414a589de221298e
Instruction ID: 8a17e9be803caa123b9887bf0b9baf05a1504dfa95197ed9e6ac5579863ee019
Opcode Fuzzy Hash: e56536cbbaf86b2a0e644a80d4f84a74ab6abc6de46b0f2e414a589de221298e
Instruction Fuzzy Hash: 24E103312082819FC714DF26C54096BB7E1FF88319B14495EF8A69B392D778ED86CB86

Function 00468891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00468968
GetSystemMetrics.USER32(00000007), ref: 00468970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0046899B
GetSystemMetrics.USER32(00000008), ref: 004689A3
GetSystemMetrics.USER32(00000004), ref: 004689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00468A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00468A3C
GetClientRect.USER32(00000000,000000FF), ref: 00468A5A
GetStockObject.GDI32(00000011), ref: 00468A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00468A81

Part of subcall function 0046912D: GetCursorPos.USER32(?), ref: 00469141
Part of subcall function 0046912D: ScreenToClient.USER32(00000000,?), ref: 0046915E
Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000001), ref: 00469183
Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000002), ref: 0046919D

SetTimer.USER32(00000000,00000000,00000028,004690FC), ref: 00468AA8

Strings

AutoIt v3 GUI, xrefs: 00468A20

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1fcc3544fd8e8593235a4d9f560f4571f219a14ebcbb917e587d2eb0eed4eca9
Instruction ID: fc3c5df6880a0934e29b1fef709d47c0285d3e5ffafc851c7fd54429fcbb4e7d
Opcode Fuzzy Hash: 1fcc3544fd8e8593235a4d9f560f4571f219a14ebcbb917e587d2eb0eed4eca9
Instruction Fuzzy Hash: 67B1B2756002099FDF14DF68CC85BAE3BB4FB19314F15422AFA15AB290DB38E841CF59

Function 004B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
Part of subcall function 004B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
Part of subcall function 004B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
Part of subcall function 004B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B0E29
GetLengthSid.ADVAPI32(?), ref: 004B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B0E96
GetLengthSid.ADVAPI32(?), ref: 004B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004B0EB5
HeapAlloc.KERNEL32(00000000), ref: 004B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B0EDD
CopySid.ADVAPI32(00000000), ref: 004B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F6E
HeapFree.KERNEL32(00000000), ref: 004B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F7E
HeapFree.KERNEL32(00000000), ref: 004B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F8E
HeapFree.KERNEL32(00000000), ref: 004B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004B0FA1
HeapFree.KERNEL32(00000000), ref: 004B0FA8

Part of subcall function 004B1193: GetProcessHeap.KERNEL32(00000008,004B0BB1,?,00000000,?,004B0BB1,?), ref: 004B11A1
Part of subcall function 004B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004B0BB1,?), ref: 004B11A8
Part of subcall function 004B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004B0BB1,?), ref: 004B11B7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2d66e37cdfb635ea961e9c435bc4d3bcef603d81c77d067e9f9d8aebc786b98c
Instruction ID: 8ba414245dd2b16831f66d64e83f5c4af29b02497049293af18d56e69e34ee89
Opcode Fuzzy Hash: 2d66e37cdfb635ea961e9c435bc4d3bcef603d81c77d067e9f9d8aebc786b98c
Instruction Fuzzy Hash: D5715F71A0020AABDF209FA5DC84FEFBBB8BF05301F048166F919A6251D775D906CB74

Function 004DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ECC08,00000000,?,00000000,?,?), ref: 004DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004DC5A4
_wcslen.LIBCMT ref: 004DC5F4
_wcslen.LIBCMT ref: 004DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004DC84D
RegCloseKey.ADVAPI32(?), ref: 004DC881
RegCloseKey.ADVAPI32(00000000), ref: 004DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004DC960

Strings

REG_SZ, xrefs: 004DC644
REG_QWORD, xrefs: 004DC8C3
REG_DWORD, xrefs: 004DC804
REG_BINARY, xrefs: 004DC913
REG_EXPAND_SZ, xrefs: 004DC5CD
REG_MULTI_SZ, xrefs: 004DC6F5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 81acb85d7d2ae2ef698e6957fe4524b8a905559f4e6cb18ce2d58de710631a31
Instruction ID: b97e055b7a89a56421f77b07db746c15d9ff32175df4c8c0014d460a52bf8bf6
Opcode Fuzzy Hash: 81acb85d7d2ae2ef698e6957fe4524b8a905559f4e6cb18ce2d58de710631a31
Instruction Fuzzy Hash: 73128E356042019FD714DF15C891E2AB7E5FF88359F04885EF88A9B3A2DB39EC45CB89

Function 004E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004E09C6
_wcslen.LIBCMT ref: 004E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004E0A54
_wcslen.LIBCMT ref: 004E0A8A
_wcslen.LIBCMT ref: 004E0B06
_wcslen.LIBCMT ref: 004E0B81

Part of subcall function 0046F9F2: _wcslen.LIBCMT ref: 0046F9FD

Part of subcall function 004B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004B2BFA

Strings

UNCHECK, xrefs: 004E0D3E
GETSELECTED, xrefs: 004E0C4E
GETTOTALCOUNT, xrefs: 004E09F2, 004E0A17
CHECK, xrefs: 004E0A85, 004E0AA0
GETITEMCOUNT, xrefs: 004E0C1E
SELECT, xrefs: 004E0D11
EXISTS, xrefs: 004E0B7C, 004E0B97
EXPAND, xrefs: 004E0BF8
ISCHECKED, xrefs: 004E0CE1
GETTEXT, xrefs: 004E0C97
COLLAPSE, xrefs: 004E0B01, 004E0B1C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 87337f932baef59fe58216db3fe9cd7b126ddce1678c4231560576fa867639a2
Instruction ID: 60e79b737690c058669bf408fac3d4aa1d3f2553d416aea9cbf5c17bbf3af866
Opcode Fuzzy Hash: 87337f932baef59fe58216db3fe9cd7b126ddce1678c4231560576fa867639a2
Instruction Fuzzy Hash: F8E1D2312083419FC714DF26C45086AB7E1FF98309F14495EF8A55B362D778ED8ACB8A

Function 004DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
_wcslen.LIBCMT ref: 004DC9F1
_wcslen.LIBCMT ref: 004DCA68
_wcslen.LIBCMT ref: 004DCA9E
_wcslen.LIBCMT ref: 004DCAF9
_wcslen.LIBCMT ref: 004DCB2F
_wcslen.LIBCMT ref: 004DCB7F

Strings

HKCC, xrefs: 004DCBAC
HKEY_LOCAL_MACHINE, xrefs: 004DCA62, 004DCA67
HKCU, xrefs: 004DCBCE
HKEY_CURRENT_CONFIG, xrefs: 004DCB79, 004DCB7E
HKU, xrefs: 004DCBF0
HKEY_CURRENT_USER, xrefs: 004DCBBD
HKLM, xrefs: 004DCA98, 004DCA9D
HKEY_CLASSES_ROOT, xrefs: 004DCAF3, 004DCAF8
HKCR, xrefs: 004DCB29, 004DCB2E
HKEY_USERS, xrefs: 004DCBDF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7d2083a642a3bbfb1515e7c1ad00e30d714ba10086c8ba671f160165887a1144
Instruction ID: bcbbe46d62b6105ab965a9600923c6899b0c98ea0adf23e39d666f7447be0641
Opcode Fuzzy Hash: 7d2083a642a3bbfb1515e7c1ad00e30d714ba10086c8ba671f160165887a1144
Instruction Fuzzy Hash: 4871147261012B8BCB20DE7CD9E16FB33A1ABA4754F10052BF8569B385E63CDD85C399

Function 004E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004E835A
_wcslen.LIBCMT ref: 004E836E
_wcslen.LIBCMT ref: 004E8391
_wcslen.LIBCMT ref: 004E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004E5BF2), ref: 004E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004E8501
FreeLibrary.KERNEL32(?), ref: 004E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004E851D
DestroyIcon.USER32(?,?,?,?,?,004E5BF2), ref: 004E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004E8555

Strings

.dll, xrefs: 004E83AB
.icl, xrefs: 004E8368
.exe, xrefs: 004E8388

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8a2f32308eba5e736ffd8a3ba658871f5925d23356e43205e04eeff1f40bd4e7
Instruction ID: f089b4b677da8af0987df43307fb2e78d9647dc1702cc81d80c32e61c44a1e84
Opcode Fuzzy Hash: 8a2f32308eba5e736ffd8a3ba658871f5925d23356e43205e04eeff1f40bd4e7
Instruction Fuzzy Hash: 1E61D071500255BAEF148F65CC81BFF77A8FB04712F10461AF819DA1D1EB789981C7A4

Function 00457778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00495169
#OnAutoItStartRegister, xrefs: 00457817
Bad directive syntax error, xrefs: 0049519A
#include-once, xrefs: 0045782F
#ce, xrefs: 004578ED
#pragma compile, xrefs: 004577D3
#cs, xrefs: 00457873, 004578C5
#include, xrefs: 00457847
#notrayicon, xrefs: 004577E7
", xrefs: 00495153
Cannot parse #include, xrefs: 00495279
Unterminated group of comments, xrefs: 0049528C
#comments-start, xrefs: 0045785F, 004578B1
#requireadmin, xrefs: 004577FF
#comments-end, xrefs: 004578D9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c8e73bdbaae73f01d0f9f752023ddb780e7186c4901ebd9e67083888b3633a54
Instruction ID: 26bf3c1b0321fd438d7ebdd578642650311ee6a17910a7b95413f2441685a51c
Opcode Fuzzy Hash: c8e73bdbaae73f01d0f9f752023ddb780e7186c4901ebd9e67083888b3633a54
Instruction Fuzzy Hash: 0881E971A40205ABDB11AF61EC42FAF3B64AF14305F14443BFD059A293EB7C9A05C79D

Function 004C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004C3EF8
_wcslen.LIBCMT ref: 004C3F03
_wcslen.LIBCMT ref: 004C3F5A
_wcslen.LIBCMT ref: 004C3F98
GetDriveTypeW.KERNEL32(?), ref: 004C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004C4087

Strings

close cd wait, xrefs: 004C4072
set cd door , xrefs: 004C4028
close, xrefs: 004C3EFE, 004C3F18
open , xrefs: 004C3FE5
closed, xrefs: 004C3F08, 004C3F2D, 004C3F46, 004C3F7E, 004C3F97
open, xrefs: 004C3F54, 004C3F59
type cdaudio alias cd wait, xrefs: 004C4001
wait, xrefs: 004C4044

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e6f98190f3b24e4d5301ff0e9bdde879b718a8b7bf76d5bc08e62a8588266576
Instruction ID: f387ba1110a8f82370870d28c21be989cff69648b98fedc535ad05a4c82def67
Opcode Fuzzy Hash: e6f98190f3b24e4d5301ff0e9bdde879b718a8b7bf76d5bc08e62a8588266576
Instruction Fuzzy Hash: A471F1766042019FC310EF25C8909ABB7F4FF94759F00892EF89597252EB38ED49CB85

Function 004B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004B5A40
SetWindowTextW.USER32(?,?), ref: 004B5A57
GetDlgItem.USER32(?,000003EA), ref: 004B5A6C
SetWindowTextW.USER32(00000000,?), ref: 004B5A72
GetDlgItem.USER32(?,000003E9), ref: 004B5A82
SetWindowTextW.USER32(00000000,?), ref: 004B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004B5AC3
GetWindowRect.USER32(?,?), ref: 004B5ACC
_wcslen.LIBCMT ref: 004B5B33
SetWindowTextW.USER32(?,?), ref: 004B5B6F
GetDesktopWindow.USER32 ref: 004B5B75
GetWindowRect.USER32(00000000), ref: 004B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004B5BD3
GetClientRect.USER32(?,?), ref: 004B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004B5C2F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 1b59e837d7ba7bfb3f018ba706dff3f10323bf325301516c848e2c09374410f1
Instruction ID: 9873ec22693978a8a4f265311d0f385d8b286869a9d13e29d8a47cfb8cc9b8db
Opcode Fuzzy Hash: 1b59e837d7ba7bfb3f018ba706dff3f10323bf325301516c848e2c09374410f1
Instruction Fuzzy Hash: C2718F31900B05AFDB20DFA9CD85BAFBBF5FF48704F104529E542A66A0D778B941CB28

Function 004CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 004CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 004CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 004CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 004CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 004CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 004CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 004CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 004CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 004CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 004CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 004CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 004CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 004CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 004CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 004CFECC
GetCursorInfo.USER32(?), ref: 004CFEDC
GetLastError.KERNEL32 ref: 004CFF1E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 690dfca9584108e8bf266ce14587e036c1d35c7713ab91c89ea12071b88c5525
Instruction ID: cb188f6d900a50e80276959f4e537e2cd3beeb7b220e74a67308109e2c01ae25
Opcode Fuzzy Hash: 690dfca9584108e8bf266ce14587e036c1d35c7713ab91c89ea12071b88c5525
Instruction Fuzzy Hash: CB4170B0D043196ADB109FBA8CC9D5EBFE9FF04314B50412BE118EB281DB78A805CE94

Function 004B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B318D
_wcslen.LIBCMT ref: 004B31F8

Strings

REGEXPCLASS, xrefs: 004B3255, 004B3266
TEXT, xrefs: 004B347C
[Q, xrefs: 004B339A
CLASS, xrefs: 004B3188, 004B31A5
NAME, xrefs: 004B3335, 004B3346
CLASSNN, xrefs: 004B31F3, 004B3204
INSTANCE, xrefs: 004B3453

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[Q
API String ID: 176396367-4233246236
Opcode ID: 47c13942dc3a4437df0c0df1d4c96ff8e15833514a1c66c91ef883af7f71f9b2
Instruction ID: cd64951724aedd834e61dc733a8b9d837fe17a16ac1f1a0d6422c6ef76a28ef9
Opcode Fuzzy Hash: 47c13942dc3a4437df0c0df1d4c96ff8e15833514a1c66c91ef883af7f71f9b2
Instruction Fuzzy Hash: 39E12831A00516EBCB18DF7AC4416EFBBB0BF54715F54811BE856A7240EB38AE8987B4

Function 004700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004700C6

Part of subcall function 004700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0052070C,00000FA0,B0A73192,?,?,?,?,004923B3,000000FF), ref: 0047011C
Part of subcall function 004700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004923B3,000000FF), ref: 00470127
Part of subcall function 004700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004923B3,000000FF), ref: 00470138
Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0047014E
Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0047015C
Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0047016A
Part of subcall function 004700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00470195
Part of subcall function 004700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004701A0

___scrt_fastfail.LIBCMT ref: 004700E7

Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9

Strings

WakeAllConditionVariable, xrefs: 00470162
InitializeConditionVariable, xrefs: 00470148
kernel32.dll, xrefs: 00470133
SleepConditionVariableCS, xrefs: 00470154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00470122

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 9dd4cc5057c5f788cd0612e7f8bd32e31cd798d366accfa26e064837c4a889f2
Instruction ID: a8b1af58709a9faf20185ae29eb57b6a03c78b4776a01c5728eeb7b0c30e7c09
Opcode Fuzzy Hash: 9dd4cc5057c5f788cd0612e7f8bd32e31cd798d366accfa26e064837c4a889f2
Instruction Fuzzy Hash: 9E217C32642740EFD7206B75BC85FAA7B94EF05B61F14813BF805962D2DB6D98048A9C

Function 004C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004ECC08), ref: 004C4527
_wcslen.LIBCMT ref: 004C453B
_wcslen.LIBCMT ref: 004C4599
_wcslen.LIBCMT ref: 004C45F4
_wcslen.LIBCMT ref: 004C463F
_wcslen.LIBCMT ref: 004C46A7

Part of subcall function 0046F9F2: _wcslen.LIBCMT ref: 0046F9FD

GetDriveTypeW.KERNEL32(?,00516BF0,00000061), ref: 004C4743

Strings

all, xrefs: 004C4531, 004C4536
removable, xrefs: 004C45EA, 004C45EF
fixed, xrefs: 004C4635, 004C463A
network, xrefs: 004C469D, 004C46A2
ramdisk, xrefs: 004C46F1
cdrom, xrefs: 004C458F, 004C4594
unknown, xrefs: 004C4708

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: baad44252caa35779691ac0c887a9659b90c0b0338d96afca5acebe6c4af5e87
Instruction ID: 9c43a50ddb83566bd6a2cd24a8101f51520fe8267ae6d00a538073d20ac38177
Opcode Fuzzy Hash: baad44252caa35779691ac0c887a9659b90c0b0338d96afca5acebe6c4af5e87
Instruction Fuzzy Hash: 7CB122796083029FC350DF29C9A0E6BB7E0AFE5724F50491EF59683292D738D845CA6A

Function 004E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

DragQueryPoint.SHELL32(?,?), ref: 004E9147

Part of subcall function 004E7674: ClientToScreen.USER32(?,?), ref: 004E769A
Part of subcall function 004E7674: GetWindowRect.USER32(?,?), ref: 004E7710
Part of subcall function 004E7674: PtInRect.USER32(?,?,004E8B89), ref: 004E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004E9277
DragFinish.SHELL32(?), ref: 004E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004E9371

Strings

@GUI_DRAGID, xrefs: 004E92E9
@GUI_DROPID, xrefs: 004E929E
p#R, xrefs: 004E92BB
@GUI_DRAGFILE, xrefs: 004E9320

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#R
API String ID: 221274066-4113308805
Opcode ID: 262cbdb6a3a94dab646caf1fd2db5231403d4f89078d87fc8b364ac7f6b667a3
Instruction ID: d9d7a375c02579cbbd181caa31421b794e83d027bd28beda7f3b07b00b11c1ab
Opcode Fuzzy Hash: 262cbdb6a3a94dab646caf1fd2db5231403d4f89078d87fc8b364ac7f6b667a3
Instruction Fuzzy Hash: 06618A71108340AFC701DF65DC85DAFBBE8FF89754F00092EF991961A2DB349A4ACB5A

Function 0045326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00521990), ref: 00492F8D
GetMenuItemCount.USER32(00521990), ref: 0049303D
GetCursorPos.USER32(?), ref: 00493081
SetForegroundWindow.USER32(00000000), ref: 0049308A
TrackPopupMenuEx.USER32(00521990,00000000,?,00000000,00000000,00000000), ref: 0049309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004930A9

Strings

0, xrefs: 0045327D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 99e140d3514d041325bc3f1e4441a4631fe8cc851f8af898f0ca61ee63e10949
Instruction ID: 8ae6b87dbab4c4fccdb9dd36487203092b9101799ed8fcf0459ed093c380032b
Opcode Fuzzy Hash: 99e140d3514d041325bc3f1e4441a4631fe8cc851f8af898f0ca61ee63e10949
Instruction Fuzzy Hash: D7712930640215BEEF218F25CD89FABBF64FF01365F20422BF9146A2D1C7B5A914D799

Function 004E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004E6DEB

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E6E94
DestroyWindow.USER32(?), ref: 004E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00450000,00000000), ref: 004E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E6EFD
GetDesktopWindow.USER32 ref: 004E6F16
GetWindowRect.USER32(00000000), ref: 004E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004E6F4D

Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952

Strings

tooltips_class32, xrefs: 004E6E58, 004E6EDD
0, xrefs: 004E6D98

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a72ddfe4334148df7b9b408d4be8afd1933461909705ccb4df1ede17c42fb293
Instruction ID: 9542bd6ff9434e3f0730eb58eecd5f597b5d554d2b02ebdbbab2f13b95953a97
Opcode Fuzzy Hash: a72ddfe4334148df7b9b408d4be8afd1933461909705ccb4df1ede17c42fb293
Instruction Fuzzy Hash: D4717C70504384AFDB21CF29D884B6BBBE9FBA9345F04041EF98987261C774AD4ADB19

Function 004CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004CC5F0
InternetCloseHandle.WININET(00000000), ref: 004CC5FB

Strings

, xrefs: 004CC575

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b8e976e736932ad3d5b552c4e2d2659f5988e51346ebbe35378898d65c5d08fb
Instruction ID: b747721a038d738c8d52e4d607ed2aec7d4b9bab42b007af53246d613bf421ea
Opcode Fuzzy Hash: b8e976e736932ad3d5b552c4e2d2659f5988e51346ebbe35378898d65c5d08fb
Instruction Fuzzy Hash: D1518DB8500205BFDB618F61C9C8FAB7BBCFF08344F00842EF94996251DB38E9459B68

Function 004E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85BA
GlobalLock.KERNEL32(00000000), ref: 004E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85D7
GlobalUnlock.KERNEL32(00000000), ref: 004E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004EFC38,?), ref: 004E8611
GlobalFree.KERNEL32(00000000), ref: 004E8621
GetObjectW.GDI32(?,00000018,?), ref: 004E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004E8671
DeleteObject.GDI32(?), ref: 004E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004E86AF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: a76d2a2d52f1c7b9a7eb7d5ba22a82c0175db1ed6d3134cc6840da788675c8b8
Instruction ID: 620a6ff6c0106cd539a7c751f9c0e5118a4304464e7710eabee683fd7ee1f039
Opcode Fuzzy Hash: a76d2a2d52f1c7b9a7eb7d5ba22a82c0175db1ed6d3134cc6840da788675c8b8
Instruction Fuzzy Hash: 9C412B75600248BFDB11DFA5CC88EAB7BB8FF89711F104069F919EB261DB349902CB24

Function 004C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004C1502
VariantCopy.OLEAUT32(?,?), ref: 004C150B
VariantClear.OLEAUT32(?), ref: 004C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004C1657
VariantInit.OLEAUT32(?), ref: 004C1708
SysFreeString.OLEAUT32(?), ref: 004C178C
VariantClear.OLEAUT32(?), ref: 004C17D8
VariantClear.OLEAUT32(?), ref: 004C17E7
VariantInit.OLEAUT32(00000000), ref: 004C1823

Strings

Default, xrefs: 004C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 004C1625

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 564fedc0768c730864f406990eeb22b5c4d799047a7e715b4a6439cae89b151c
Instruction ID: ff75408efad277d273aab2ddf09b0b0fb1caf01794854f792ffaf29bc0e05cb9
Opcode Fuzzy Hash: 564fedc0768c730864f406990eeb22b5c4d799047a7e715b4a6439cae89b151c
Instruction Fuzzy Hash: 8ED12475600110EBCB409F65D885F79B7B1BF46700F90805FF806AB2A2DB38EC46DB5A

Function 004DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 004DB80A
RegCloseKey.ADVAPI32(?), ref: 004DB87E
RegCloseKey.ADVAPI32(?), ref: 004DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 004DB922
FreeLibrary.KERNEL32(00000000), ref: 004DB983
RegCloseKey.ADVAPI32(00000000), ref: 004DB994

Strings

RegDeleteKeyExW, xrefs: 004DB8FE
advapi32.dll, xrefs: 004DB8ED

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 18ff1f9cd202343d6426907941e076986433c716c22bf0960b43ee56688ddeac
Instruction ID: e1e3191414202a2475e080c6d73527ed6df1b542afcf31b6ecc65070481f51ab
Opcode Fuzzy Hash: 18ff1f9cd202343d6426907941e076986433c716c22bf0960b43ee56688ddeac
Instruction Fuzzy Hash: 9DC17B74204241EFD710DF15C4A4B2ABBE5EF84318F15859EF89A4B3A2CB39EC46CB95

Function 004D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004D25E8
CreateCompatibleDC.GDI32(?), ref: 004D25F4
SelectObject.GDI32(00000000,?), ref: 004D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004D26D0
SelectObject.GDI32(?,?), ref: 004D26D8
DeleteObject.GDI32(?), ref: 004D26E1
DeleteDC.GDI32(?), ref: 004D26E8
ReleaseDC.USER32(00000000,?), ref: 004D26F3

Strings

(, xrefs: 004D268D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 10ff704d22f3e7eac2c440b7b94a0a58de8b03ed5865e9cb09ead48c4ab0a705
Instruction ID: 95b1bfdaa0941f0468d7edc68daa9603f919164464a18dfcc25b5264e4bf3d22
Opcode Fuzzy Hash: 10ff704d22f3e7eac2c440b7b94a0a58de8b03ed5865e9cb09ead48c4ab0a705
Instruction Fuzzy Hash: 8B61F175D00219EFCF04CFA8D984AAEBBB5FF48310F20852AE955A7351D774A942CFA4

Function 0048DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0048DAA1

Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D659
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D66B
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D67D
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D68F
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6A1
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6B3
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6C5
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6D7
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6E9
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6FB
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D70D
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D71F
Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D731

_free.LIBCMT ref: 0048DA96

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 0048DAB8
_free.LIBCMT ref: 0048DACD
_free.LIBCMT ref: 0048DAD8
_free.LIBCMT ref: 0048DAFA
_free.LIBCMT ref: 0048DB0D
_free.LIBCMT ref: 0048DB1B
_free.LIBCMT ref: 0048DB26
_free.LIBCMT ref: 0048DB5E
_free.LIBCMT ref: 0048DB65
_free.LIBCMT ref: 0048DB82
_free.LIBCMT ref: 0048DB9A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cf489ac70dbe222929a01e916e986d0223aaf282a3da5b6b39ba732fdc59d866
Instruction ID: f7a547cc88f0484564f326d3785ad9d3cad5e6dfb8e3c464cf06534a17d884fd
Opcode Fuzzy Hash: cf489ac70dbe222929a01e916e986d0223aaf282a3da5b6b39ba732fdc59d866
Instruction Fuzzy Hash: 5B314CB1A452049FEB25BA3AE945B5F77E9FF00314F214C2BE449D7291DE7DAC808728

Function 004B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004B369C
_wcslen.LIBCMT ref: 004B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004B3797
GetClassNameW.USER32(?,?,00000400), ref: 004B380C
GetDlgCtrlID.USER32(?), ref: 004B385D
GetWindowRect.USER32(?,?), ref: 004B3882
GetParent.USER32(?), ref: 004B38A0
ScreenToClient.USER32(00000000), ref: 004B38A7
GetClassNameW.USER32(?,?,00000100), ref: 004B3921
GetWindowTextW.USER32(?,?,00000400), ref: 004B395D

Strings

%s%u, xrefs: 004B3734

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 8cf1ad6c6d5655805be56f652a29cfe1c8db0ef10570cedc58dab127f57b3a03
Instruction ID: a393ade4cd66d8a46d090f496edcd17c06b33806b2ff15418036dac41cf18256
Opcode Fuzzy Hash: 8cf1ad6c6d5655805be56f652a29cfe1c8db0ef10570cedc58dab127f57b3a03
Instruction Fuzzy Hash: DF91D471204606AFD714DF26C885BEBF7E8FF44305F00852AF999C6251DB38EA46CBA5

Function 004B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004B4994
GetWindowTextW.USER32(?,?,00000400), ref: 004B49DA
_wcslen.LIBCMT ref: 004B49EB
CharUpperBuffW.USER32(?,00000000), ref: 004B49F7
_wcsstr.LIBVCRUNTIME ref: 004B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 004B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004B4B20
GetWindowRect.USER32(?,?), ref: 004B4B8B

Strings

ThumbnailClass, xrefs: 004B4A6F, 004B4AF1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0a88819e4095ec887ff0bc092aed0a996dcc3184f2ef4f66295a3db99f6563f1
Instruction ID: 0955c5679972037c7c5f13a03bf203261a001d6e5c3c661feb7cfd4a406a56a3
Opcode Fuzzy Hash: 0a88819e4095ec887ff0bc092aed0a996dcc3184f2ef4f66295a3db99f6563f1
Instruction Fuzzy Hash: B891AF710082059BDB04DF24C981BEB77A8FF84714F04846AFE859A297DB38ED45CBB9

Function 004E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004E8D5A
GetFocus.USER32 ref: 004E8D6A
GetDlgCtrlID.USER32(00000000), ref: 004E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004E8ECF
GetMenuItemCount.USER32(?), ref: 004E8EEC
GetMenuItemID.USER32(?,00000000), ref: 004E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004E8FA1

Strings

0, xrefs: 004E8E9F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 29a6ee46a0f3e1a137dc50de5c559c8d9a5ad57bf22eff1d09d9c954caf46d05
Instruction ID: d47b845bc858f4b6e5fe4ffeb1b24e07c5ef77a46f6dcc0938bed29ebef4e4e1
Opcode Fuzzy Hash: 29a6ee46a0f3e1a137dc50de5c559c8d9a5ad57bf22eff1d09d9c954caf46d05
Instruction Fuzzy Hash: 7381C371504391AFDB10CF26C884A6B7BE9FF88315F04091EF998D7291DB74D905CB6A

Function 004BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004BDC46
_wcslen.LIBCMT ref: 004BDC50
_wcsstr.LIBVCRUNTIME ref: 004BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004BDCBC

Strings

04090000, xrefs: 004BDCF2
StringFileInfo\, xrefs: 004BDC8F
%u.%u.%u.%u, xrefs: 004BDD9A
DefaultLangCodepage, xrefs: 004BDD1F
\VarFileInfo\Translation, xrefs: 004BDCB4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b255246ba9d2d91ecfe495eaf95fdefebfe048ff03c0ada551c0b062a66f3380
Instruction ID: ce8289bfdd34b42b09094d7a5f8e101bdf918c0adcd8a7bebba32c125313221b
Opcode Fuzzy Hash: b255246ba9d2d91ecfe495eaf95fdefebfe048ff03c0ada551c0b062a66f3380
Instruction Fuzzy Hash: 8F41F3729402017AEB14A776DC47EFF3BACEF41714F1040AFF904A6182FB69990296BD

Function 004DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004DCD48

Part of subcall function 004DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004DCCAA
Part of subcall function 004DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004DCCBD
Part of subcall function 004DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004DCCCF
Part of subcall function 004DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004DCD05
Part of subcall function 004DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 004DCCF3

Strings

RegDeleteKeyExW, xrefs: 004DCCC9
advapi32.dll, xrefs: 004DCCB8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3ab3de651b65f1ce43db859dbeee3e4f1dceb9b15b94f1af9d0b365021d0a277
Instruction ID: 5911557346863289353d260b326ffea947af867351d033d76cdd6d523c12048a
Opcode Fuzzy Hash: 3ab3de651b65f1ce43db859dbeee3e4f1dceb9b15b94f1af9d0b365021d0a277
Instruction Fuzzy Hash: D4316071901129BBDB208B95DCD8EFFBB7CEF45750F000166F905E6341D7389A46DAA8

Function 004C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004C3D40
_wcslen.LIBCMT ref: 004C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 004C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 004C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004C3E55
CloseHandle.KERNEL32(00000000), ref: 004C3E60
CloseHandle.KERNEL32(00000000), ref: 004C3E6B

Strings

:, xrefs: 004C3D82
\??\%s, xrefs: 004C3D5B
\, xrefs: 004C3D77

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: beb62308ad411936fef4abc7facd76bb5c99033cb7a76853dc3acb9224591075
Instruction ID: a626f1d4fc0c0b44e371c6a151c3c36971a1c1aea97669405042193d9e4daef3
Opcode Fuzzy Hash: beb62308ad411936fef4abc7facd76bb5c99033cb7a76853dc3acb9224591075
Instruction Fuzzy Hash: FC31A575900249ABDB209FA0DC89FEF37BCEF88705F1081BAFA09D6151E77497458B28

Function 004BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004BE6B4

Part of subcall function 0046E551: timeGetTime.WINMM(?,?,004BE6D4), ref: 0046E555

Sleep.KERNEL32(0000000A), ref: 004BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004BE727
SetActiveWindow.USER32 ref: 004BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004BE773
Sleep.KERNEL32(000000FA), ref: 004BE77E
IsWindow.USER32 ref: 004BE78A
EndDialog.USER32(00000000), ref: 004BE79B

Strings

BUTTON, xrefs: 004BE719

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2a74badd62ed862b2ad3b447c28fc5c9fa6845ff38bb877c869efb2024246e58
Instruction ID: 0bdade5f1689e200ac7f30e84b63da13c8c5a43c1d2a949e926edb403f6f9fd2
Opcode Fuzzy Hash: 2a74badd62ed862b2ad3b447c28fc5c9fa6845ff38bb877c869efb2024246e58
Instruction Fuzzy Hash: 0B219575200244BFEB105F23ECC9AA63B69FFA6349F101436F401952A2DF75AC06AB3C

Function 004BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004BEAA7

Strings

play PlayMe wait, xrefs: 004BEA91
open , xrefs: 004BEA0C
status PlayMe mode, xrefs: 004BEA58
alias PlayMe, xrefs: 004BEA36
play PlayMe, xrefs: 004BEAA2
close PlayMe, xrefs: 004BEA6E, 004BEA9B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 16203ef8d1e2b6c51dbd4f11f8023214c846cdfcaa3921e0b8ad403aa70533c5
Instruction ID: 655f4853511b7ea3d2aef8e1c99e9f2001c5d3251f958a37160d03255063d374
Opcode Fuzzy Hash: 16203ef8d1e2b6c51dbd4f11f8023214c846cdfcaa3921e0b8ad403aa70533c5
Instruction Fuzzy Hash: 88117331A502597AE720A7A2DC4ADFF6E7CFFD5F44F40042A7811A20D2EE741D89C5B4

Function 004B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004B5CE2
GetWindowRect.USER32(00000000,?), ref: 004B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004B5D59
GetDlgItem.USER32(?,00000002), ref: 004B5D69
GetWindowRect.USER32(00000000,?), ref: 004B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004B5DCF
GetDlgItem.USER32(?,000003E9), ref: 004B5DDD
GetWindowRect.USER32(00000000,?), ref: 004B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004B5E31
GetDlgItem.USER32(?,000003EA), ref: 004B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004B5E67

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c6ec31e7a977eb2a2b186a1e4f5bd95579c016afd36e93ab3a6e58c5d74c8c78
Instruction ID: 61654633bf244b1e9a211e51cdb9889ae8281c41da680bf654d2d805333e13b9
Opcode Fuzzy Hash: c6ec31e7a977eb2a2b186a1e4f5bd95579c016afd36e93ab3a6e58c5d74c8c78
Instruction Fuzzy Hash: D6512F70A00605AFDF18CF68DD89AAEBBB9FB48300F148229F915E6291D7749E01CB64

Function 00468BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00468F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00468BE8,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468FC5

DestroyWindow.USER32(?), ref: 00468C81
KillTimer.USER32(00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468D1B
DestroyAcceleratorTable.USER32(00000000), ref: 004A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 004A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 004A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000), ref: 004A69D4
DeleteObject.GDI32(00000000), ref: 004A69E6

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1427c3b43a06f2604a47bc181ea033f60c3a07b09e517d2b40d320d2b0f07356
Instruction ID: 1a428714a1cf1f9a524ab91057f893bc559fb8fd44414da1bd82f983600f731a
Opcode Fuzzy Hash: 1427c3b43a06f2604a47bc181ea033f60c3a07b09e517d2b40d320d2b0f07356
Instruction Fuzzy Hash: 6361AB31102B00DFCB358F24C998B2777B1FF66316F14462EE0429A660DB39AC96DB5E

Function 00469838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952

GetSysColor.USER32(0000000F), ref: 00469862

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 40260bc49e56243dacb807797a48338825d6ae85cef3b0e812913c6f680f8fa7
Instruction ID: 313677bbc841f0846f841b112ebdb92e6869dbf3f5c9741a322ced2206e03447
Opcode Fuzzy Hash: 40260bc49e56243dacb807797a48338825d6ae85cef3b0e812913c6f680f8fa7
Instruction Fuzzy Hash: AA41C471100650EFDB205F389CC4BBA3769AB56330F14461AF9A28B2E2E7749C42DB1A

Function 00488D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.G, xrefs: 0048903A, 00488FD0, 00488FF2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: .G
API String ID: 0-1092520701
Opcode ID: 6a22b7bfbf4cc79b70bb4210672092283457056b4e50c0197f527cb5de30894a
Instruction ID: 8761550963e533d3406f1c6a49f29f601b035731e0f5deb2447cda53788a9e9a
Opcode Fuzzy Hash: 6a22b7bfbf4cc79b70bb4210672092283457056b4e50c0197f527cb5de30894a
Instruction Fuzzy Hash: 3CC1F874904249AFCB11FFA9C841BBE7BB0AF0A314F18449EE514A7393C7399D46CB69

Function 004B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0049F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004B9717
LoadStringW.USER32(00000000,?,0049F7F8,00000001), ref: 004B9720

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0049F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004B9742
LoadStringW.USER32(00000000,?,0049F7F8,00000001), ref: 004B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004B9866

Strings

Error: , xrefs: 004B981D
Line %d (File "%s"):, xrefs: 004B978F
%s (%d) : ==> %s: %s %s, xrefs: 004B984A
^ ERROR, xrefs: 004B97FB
Line %d:, xrefs: 004B97A0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8537fd8a1c7136c7cc49f1dcfe9d97ea0cf0b58b83d508ff289f38b688ffe6bb
Instruction ID: 55f8786621cc57e306468d5a29a48b4544a96885af65105a486904027fa37e11
Opcode Fuzzy Hash: 8537fd8a1c7136c7cc49f1dcfe9d97ea0cf0b58b83d508ff289f38b688ffe6bb
Instruction Fuzzy Hash: EF416D72800219AACF04FBE1CD82DEE7779AF14745F50042AFA0172093EB396F49CB69

Function 004B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004B083C

Strings

SOFTWARE\Classes\, xrefs: 004B070E
\IPC$, xrefs: 004B0784
\CLSID, xrefs: 004B0724

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e417d23966b04780f906bdc60340b58890c9feb36cd3328e95667181f886c13f
Instruction ID: a8fdd161058cac388a9711e60e6392d3f2e99b9359cff6e295eadbc8a72d7e13
Opcode Fuzzy Hash: e417d23966b04780f906bdc60340b58890c9feb36cd3328e95667181f886c13f
Instruction Fuzzy Hash: CA412672C1022CEBDF11EFA4DC958EEB778FF04355B04412AE801A7162EB349E08CBA4

Function 004D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004D3C5C
CoInitialize.OLE32(00000000), ref: 004D3C8A
CoUninitialize.OLE32 ref: 004D3C94
_wcslen.LIBCMT ref: 004D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 004D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 004D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004D3F0E
CoGetObject.OLE32(?,00000000,004EFB98,?), ref: 004D3F2D
SetErrorMode.KERNEL32(00000000), ref: 004D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004D3FC4
VariantClear.OLEAUT32(?), ref: 004D3FD8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 39c795d25db9862a9efc9449309967d9d2eab13fa72f481e1f20342a3918424d
Instruction ID: bd07497fdada4534849287ae670bc6475fd7d47c0ae97ea5b714053e6819b804
Opcode Fuzzy Hash: 39c795d25db9862a9efc9449309967d9d2eab13fa72f481e1f20342a3918424d
Instruction Fuzzy Hash: 1AC14371608205AFC700DF69C89492BB7E9FF89749F00492EF98A9B351D734EE06CB56

Function 004C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004C7BA3
CoCreateInstance.OLE32(004EFD08,00000000,00000001,00516E6C,?), ref: 004C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004C7C74
CoTaskMemFree.OLE32(?,?), ref: 004C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004C7D7A
CoTaskMemFree.OLE32(00000000), ref: 004C7D81
CoTaskMemFree.OLE32(00000000), ref: 004C7DD6
CoUninitialize.OLE32 ref: 004C7DDC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9937439bf7a77615a7d32277b0e678278fc09540f0f1588646897972e3479332
Instruction ID: eaeec8bde94d3a0caa09499ba946236f22efeb77b36af6b5144bf9494c1b1b79
Opcode Fuzzy Hash: 9937439bf7a77615a7d32277b0e678278fc09540f0f1588646897972e3479332
Instruction Fuzzy Hash: A9C12C75A04109AFCB14DFA4C884DAEBBF9FF48309B1484A9E8169B362D734ED45CF94

Function 004E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E5515
CharNextW.USER32(00000158), ref: 004E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E55AC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 9cda25f5faab7815978d343e2b1e29b92fd1d7ecc7f1d038dc7acb6bcb0d4bb0
Instruction ID: eedb62afef531e1b55957ee59cab66b275ffcfb1beb2d92bc5cc77608397932d
Opcode Fuzzy Hash: 9cda25f5faab7815978d343e2b1e29b92fd1d7ecc7f1d038dc7acb6bcb0d4bb0
Instruction Fuzzy Hash: 1D61D170900689ABDF10DF62CC84AFF3B79EF0532AF104156F915AA291C7388A81DB69

Function 004AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 004AFB08
VariantInit.OLEAUT32(?), ref: 004AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004AFB3A
VariantCopy.OLEAUT32(?,?), ref: 004AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004AFBA1
VariantClear.OLEAUT32(?), ref: 004AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 004AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004AFBCC
VariantClear.OLEAUT32(?), ref: 004AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004AFBE9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a2a3bfcfb6611f3492075089f19e22f1e34598a70d341ad7c3cac9a3205f6c5e
Instruction ID: a35bde9d339b83017a7c0ee667023fa489de400bc23eff38dcfc9e7ab889c911
Opcode Fuzzy Hash: a2a3bfcfb6611f3492075089f19e22f1e34598a70d341ad7c3cac9a3205f6c5e
Instruction Fuzzy Hash: 8F4154359002199FCB00DFA5C894DAEBBB9FF59344F00807AF915AB262D734A946CFA4

Function 004B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004B9D22
GetKeyState.USER32(000000A0), ref: 004B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004B9D57
GetKeyState.USER32(000000A1), ref: 004B9D6C
GetAsyncKeyState.USER32(00000011), ref: 004B9D84
GetKeyState.USER32(00000011), ref: 004B9D96
GetAsyncKeyState.USER32(00000012), ref: 004B9DAE
GetKeyState.USER32(00000012), ref: 004B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004B9DD8
GetKeyState.USER32(0000005B), ref: 004B9DEA

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 308fcb22efd9b703ef441386af101f17c80846def5003a8581d0fd3b50219714
Instruction ID: 19bf33a1b318be4de706d4030e505c854cb057c9707c9f55acd857e3c5b548fb
Opcode Fuzzy Hash: 308fcb22efd9b703ef441386af101f17c80846def5003a8581d0fd3b50219714
Instruction Fuzzy Hash: A841B5345047C969FF31867184443E7BEB46F11344F48805BDBC65A7C2D7A8ADC88BBA

Function 004D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004D05BC
inet_addr.WSOCK32(?), ref: 004D061C
gethostbyname.WSOCK32(?), ref: 004D0628
IcmpCreateFile.IPHLPAPI ref: 004D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004D07B9
WSACleanup.WSOCK32 ref: 004D07BF

Strings

Ping, xrefs: 004D0676

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 29e3fe0ada173e55f42400bd8cb3cd9d6fadada54e8912a6fc611519ebd97cd7
Instruction ID: 817659d399ec20b3d3954ca22a5a7a45a4690ae5a26192372278af9a875d7583
Opcode Fuzzy Hash: 29e3fe0ada173e55f42400bd8cb3cd9d6fadada54e8912a6fc611519ebd97cd7
Instruction Fuzzy Hash: 18918E35604241AFD320DF15D498F1ABBE0AF44318F1485ABE8698F7A2D738ED46CF96

Function 004D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 004D8CF3

Part of subcall function 004B8E54: _wcslen.LIBCMT ref: 004B8E77

_wcslen.LIBCMT ref: 004D8D4E
_wcslen.LIBCMT ref: 004D8D9C
_wcslen.LIBCMT ref: 004D8DDC
_wcslen.LIBCMT ref: 004D8E6E

Strings

cdecl, xrefs: 004D8D48, 004D8D4D
winapi, xrefs: 004D8D96, 004D8D9B
none, xrefs: 004D8E65, 004D8E6A
stdcall, xrefs: 004D8DD6, 004D8DDB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7d8f4c91d0ca9f7f219186ba2c4430e8942dae3fa5fd50824d83a258e0f41c1a
Instruction ID: f6f79b1b4e9c41acc041ba5b650dd935fa9fcf4cbc6edd67d54037eb4b889b07
Opcode Fuzzy Hash: 7d8f4c91d0ca9f7f219186ba2c4430e8942dae3fa5fd50824d83a258e0f41c1a
Instruction Fuzzy Hash: 9251A171A001169BCB14DF6CC9609BEB7A6BF65724B20422FE826E73C5DB38DD41CB94

Function 004D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004D3774
CoUninitialize.OLE32 ref: 004D377F
CoCreateInstance.OLE32(?,00000000,00000017,004EFB78,?), ref: 004D37D9
IIDFromString.OLE32(?,?), ref: 004D384C
VariantInit.OLEAUT32(?), ref: 004D38E4
VariantClear.OLEAUT32(?), ref: 004D3936

Strings

NULL Pointer assignment, xrefs: 004D381E
Invalid parameter, xrefs: 004D3865
Failed to create object, xrefs: 004D37E4, 004D389A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 330e13802d402f622de372f4a5744c37990689cfc02f89eed405a87d49ec3685
Instruction ID: 78a0f26b65dc052c867300673cfce3a26d24613021de7af13f9eef2674901e4f
Opcode Fuzzy Hash: 330e13802d402f622de372f4a5744c37990689cfc02f89eed405a87d49ec3685
Instruction Fuzzy Hash: B5618970608701AFD310EF55C898B5ABBE4AF48716F00481FF9859B391D778EA49CB9B

Function 004E8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

Part of subcall function 0046912D: GetCursorPos.USER32(?), ref: 00469141
Part of subcall function 0046912D: ScreenToClient.USER32(00000000,?), ref: 0046915E
Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000001), ref: 00469183
Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000002), ref: 0046919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004E8B6B
ImageList_EndDrag.COMCTL32 ref: 004E8B71
ReleaseCapture.USER32 ref: 004E8B77
SetWindowTextW.USER32(?,00000000), ref: 004E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004E8CFF

Strings

@GUI_DROPID, xrefs: 004E8C51
p#R, xrefs: 004E8C71
@GUI_DRAGFILE, xrefs: 004E8C9A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#R
API String ID: 1924731296-4192345333
Opcode ID: 3e7887a7fb4dab4ecb6b0c70e5db75546c9cc2828272dfb1f19d364929c67aeb
Instruction ID: 905e53bee8bc130ed2bb76476ec5ae141026f16192e15759a4a9444bf3ba61ed
Opcode Fuzzy Hash: 3e7887a7fb4dab4ecb6b0c70e5db75546c9cc2828272dfb1f19d364929c67aeb
Instruction Fuzzy Hash: B151BB70104340AFD700DF25C895BAB77E4FF89715F000A2EF956972E2CB749949CB6A

Function 004C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004C33CF

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004C33F0

Strings

Error: , xrefs: 004C34D1
Incorrect parameters to object property !, xrefs: 004C34AB
^ ERROR , xrefs: 004C349E
Line %d (File "%s"):, xrefs: 004C3443, 004C345C
"%s" (%d) : ==> %s:, xrefs: 004C3522
"%s" (%d) : ==> %s:%s%s, xrefs: 004C3504

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6896e208b294d5bdeb7ce1c44242e10d2a4e1d182e87c6cafe9d333d1b0930de
Instruction ID: da5dd52861bebc9033552998af3c753e14a21bc9e5c27d442b8f76249ac9b616
Opcode Fuzzy Hash: 6896e208b294d5bdeb7ce1c44242e10d2a4e1d182e87c6cafe9d333d1b0930de
Instruction Fuzzy Hash: EA51D372800209BADF14EBE1CD42EEEB779AF14346F10446AF90572052EB392F5DDB68

Function 004BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004BB5FC
_wcslen.LIBCMT ref: 004BB608
_wcslen.LIBCMT ref: 004BB64D
_wcslen.LIBCMT ref: 004BB68C
_wcslen.LIBCMT ref: 004BB6C7

Strings

REMOVE, xrefs: 004BB602, 004BB607
APPEND, xrefs: 004BB6C1, 004BB6C6
EXISTS, xrefs: 004BB686, 004BB68B
KEYS, xrefs: 004BB647, 004BB64C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8533c14669e16cdb476b10779a0f6845e06e7ef57138892006e7ccccf4316b78
Instruction ID: 5eed5fbd3715cc51d3c5537d5ddb9e520512a7c44ae2875e6b1b0d2383ddd00c
Opcode Fuzzy Hash: 8533c14669e16cdb476b10779a0f6845e06e7ef57138892006e7ccccf4316b78
Instruction Fuzzy Hash: 8741D432A001269BCB206F7D88905FF77A5EBA0758B24412BE465DB384E779CD82C7E5

Function 004C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004C5416
GetLastError.KERNEL32 ref: 004C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004C54A7

Strings

READY, xrefs: 004C5460, 004C5468
INVALID, xrefs: 004C5459
READONLY, xrefs: 004C5452
NOTREADY, xrefs: 004C544B
UNKNOWN, xrefs: 004C5444

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ec5aacf21a0f6074baddf930c5e1b58134d4d45143cfe13ee8edcc18a0b39552
Instruction ID: d3313de4d882794a934676aff02a704e5b68cddba1cb66e462acca064cdfb9b0
Opcode Fuzzy Hash: ec5aacf21a0f6074baddf930c5e1b58134d4d45143cfe13ee8edcc18a0b39552
Instruction Fuzzy Hash: 90318039A005049FD754DF68D884FAE7BA4EB45309F14806AE805CB352DB38EDC6CB99

Function 004E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004E3C79
SetMenu.USER32(?,00000000), ref: 004E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E3D10
IsMenu.USER32(?), ref: 004E3D24
CreatePopupMenu.USER32 ref: 004E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E3D5B
DrawMenuBar.USER32 ref: 004E3D63

Strings

F, xrefs: 004E3D4E
0, xrefs: 004E3C54

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ecd71fb760f4a10c5b86fec1030933cdebee2a534fbd8536302ec6025468258b
Instruction ID: 20aee4a145cbf209e24ae901734a79bdc4355f6d2e690ff5ca769fc9602f9cb4
Opcode Fuzzy Hash: ecd71fb760f4a10c5b86fec1030933cdebee2a534fbd8536302ec6025468258b
Instruction Fuzzy Hash: 6741AD75A01249EFDB10CF61D888EAA77B5FF49342F140029F9069B360D734AA11CF98

Function 004B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004B1F64
GetDlgCtrlID.USER32 ref: 004B1F6F
GetParent.USER32 ref: 004B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 004B1F8E
GetDlgCtrlID.USER32(?), ref: 004B1F97
GetParent.USER32(?), ref: 004B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 004B1FAE

Strings

ComboBox, xrefs: 004B1EEC
ListBox, xrefs: 004B1F21

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 33016d5a0b69142aad337173991b727ae821aa32242eb4de2e537f0b974f6130
Instruction ID: 58decd13a477cc14478d6d0fefb764aac025fbf4bcb4a4087a496dea13fb1733
Opcode Fuzzy Hash: 33016d5a0b69142aad337173991b727ae821aa32242eb4de2e537f0b974f6130
Instruction Fuzzy Hash: 6D21DE75900214BBCF00AFA1CC95DFFBBB8EF09340B50011AB961A72A2DB385909CB78

Function 004E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004E3C13

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c8f0240a3fed95b6214013b01bf928c0d33df1569287d60023ac1a8a74f904fa
Instruction ID: 11d65f599f0070db43d8a36c9bc8ac48f773c896673879c5d9af80157bf81a20
Opcode Fuzzy Hash: c8f0240a3fed95b6214013b01bf928c0d33df1569287d60023ac1a8a74f904fa
Instruction Fuzzy Hash: 0B618D71900248AFDB11DF68CC85EEE77B8EF09305F10019AFA05AB392C774AE46DB54

Function 004BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB165
GetWindowThreadProcessId.USER32(00000000), ref: 004BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 004BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB21D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d770ed7df9c1265267c2ae7428cd225712bded05ab04afa40386d071c3750b3e
Instruction ID: d5505259c8310b6d95bc044be0f55c77be62519a011758c993679cd61fd77091
Opcode Fuzzy Hash: d770ed7df9c1265267c2ae7428cd225712bded05ab04afa40386d071c3750b3e
Instruction Fuzzy Hash: BB31A071640204AFDB249F64DC8CFAE7BA9FF61351F104056F910DA290E7B89D068FB8

Function 00482C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00482C94

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 00482CA0
_free.LIBCMT ref: 00482CAB
_free.LIBCMT ref: 00482CB6
_free.LIBCMT ref: 00482CC1
_free.LIBCMT ref: 00482CCC
_free.LIBCMT ref: 00482CD7
_free.LIBCMT ref: 00482CE2
_free.LIBCMT ref: 00482CED
_free.LIBCMT ref: 00482CFB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66ce8ad1b57d23071cbdecb7d9476694c392d66be57e0b05894dbb46a276f898
Instruction ID: c1d5600d044cb9b7954ab3af04c9fe372c264ba17defc1d1302a5a5c4556f512
Opcode Fuzzy Hash: 66ce8ad1b57d23071cbdecb7d9476694c392d66be57e0b05894dbb46a276f898
Instruction Fuzzy Hash: 5011AAB5200108AFCB02FF55DA42CDD3BA5FF05354F42489AFA485F222D679EE509B54

Function 004C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004C7FC1
GetFileAttributesW.KERNEL32(?), ref: 004C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 004C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 004C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 004C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004C80B0

Strings

*.*, xrefs: 004C8066

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0464184e2f4a2f0cf24f60ac08806689859f85a3115685d3a7478400063266d8
Instruction ID: 5d91a8f699c51492f2f0e1c93701aeeba79cdb4ca3ab48b5ec91e77f336298ff
Opcode Fuzzy Hash: 0464184e2f4a2f0cf24f60ac08806689859f85a3115685d3a7478400063266d8
Instruction Fuzzy Hash: 6281AE7A5082419BCB60EF15C884EABB3E8BB85354F14486FF885C7251EB38DD498B5A

Function 00455BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00455C7A

Part of subcall function 00455D0A: GetClientRect.USER32(?,?), ref: 00455D30
Part of subcall function 00455D0A: GetWindowRect.USER32(?,?), ref: 00455D71
Part of subcall function 00455D0A: ScreenToClient.USER32(?,?), ref: 00455D99

GetDC.USER32 ref: 004946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00494708
SelectObject.GDI32(00000000,00000000), ref: 00494716
SelectObject.GDI32(00000000,00000000), ref: 0049472B
ReleaseDC.USER32(?,00000000), ref: 00494733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004947C4

Strings

U, xrefs: 00494693

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0aa7f80635d4093b1b1c428a48e9b9f94f17530474aca510d48541d2644755c4
Instruction ID: 1e794fbb8258a040b6357992d0defe41e783853b266b349037305896a80c771c
Opcode Fuzzy Hash: 0aa7f80635d4093b1b1c428a48e9b9f94f17530474aca510d48541d2644755c4
Instruction Fuzzy Hash: 9671CD35400209DFCF218FA4C984EBA7FB1EF86325F1442BAED515A266C3389846DF69

Function 004C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004C35E4

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

LoadStringW.USER32(00522390,?,00000FFF,?), ref: 004C360A

Strings

Error: , xrefs: 004C36EF
Line %d (File "%s"):, xrefs: 004C366B
"%s" (%d) : ==> %s:, xrefs: 004C3742
^ ERROR, xrefs: 004C36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 004C3724

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5f0de225ca0cc713c8348d792f83af5fcd42f1c64bc6574d6da6cd07fd04c1f2
Instruction ID: da4a5f22eb4e3a0c1198177e92ccce7a80d329000e20de390072fe740a93b301
Opcode Fuzzy Hash: 5f0de225ca0cc713c8348d792f83af5fcd42f1c64bc6574d6da6cd07fd04c1f2
Instruction Fuzzy Hash: 29519471800109FADF15EFA1CC42EEEBB75EF14346F14412AF90572162DB381A99DF69

Function 004CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004CC2CA
GetLastError.KERNEL32 ref: 004CC322
SetEvent.KERNEL32(?), ref: 004CC336
InternetCloseHandle.WININET(00000000), ref: 004CC341

Strings

, xrefs: 004CC2BB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9fa272b984dad4c06fa10be388767f518c54506754da0e1aaaf8dd2db075795b
Instruction ID: 2bc55de7eb4834af09a330c46f6f78a7b827f63d2ac9fc4e5b93df95f7022c7a
Opcode Fuzzy Hash: 9fa272b984dad4c06fa10be388767f518c54506754da0e1aaaf8dd2db075795b
Instruction Fuzzy Hash: 3531D179900244AFD7619F659CC8FAB7BFCEB49344B04842FF84A96211DB38DC068B69

Function 004B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00493AAF,?,?,Bad directive syntax error,004ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004B98BC
LoadStringW.USER32(00000000,?,00493AAF,?), ref: 004B98C3

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004B9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 004B98F1
Line %d (File "%s"):, xrefs: 004B992D
Error: , xrefs: 004B9955
., xrefs: 004B996D
Line %d:, xrefs: 004B9912

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a404ed75cb8918a70da54ada69b2f892ee30c8df2416b3ff5334c034e25531d2
Instruction ID: a66f8732232eeb1971fb712541c4f7185209048a76a824c4b60964d351a2c388
Opcode Fuzzy Hash: a404ed75cb8918a70da54ada69b2f892ee30c8df2416b3ff5334c034e25531d2
Instruction Fuzzy Hash: AC21B43180021EEBDF11AF90CC46EEE7735FF14705F04442BF915660A2EB79AA58CB25

Function 004B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004B214D

Strings

smallicons, xrefs: 004B2115
list, xrefs: 004B212F
SHELLDLL_DefView, xrefs: 004B20CC
largeicons, xrefs: 004B20E1
details, xrefs: 004B20FB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d2436a4f1bc6152d58c561dc4f73382bb580071009f443edf3ef42700b09c796
Instruction ID: 1a6aee7f4a1ecf2fdce8a6a3de93b11b8c0d329bed3b9cbcf56d3183cd3502d1
Opcode Fuzzy Hash: d2436a4f1bc6152d58c561dc4f73382bb580071009f443edf3ef42700b09c796
Instruction Fuzzy Hash: 4211E776688707B9F6012629DD06DE7379CDB44324B20402BFB05A51D2FAAD58425A2D

Function 0048CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0048CEB7
_free.LIBCMT ref: 0048CF22
_free.LIBCMT ref: 0048CF48
_free.LIBCMT ref: 0048CF71
_free.LIBCMT ref: 0048CFA9
_free.LIBCMT ref: 0048CFDA
_free.LIBCMT ref: 0048D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0048D09C
_free.LIBCMT ref: 0048D0B5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 2e2bed37e9d76e86ce0eb7196b3f6142c6ca0344fff2dfa72a8659fc8ee350f6
Instruction ID: b7a7be284203b891d92803ac352ea1cc42c9c039abf1726c59be48645d59ccc9
Opcode Fuzzy Hash: 2e2bed37e9d76e86ce0eb7196b3f6142c6ca0344fff2dfa72a8659fc8ee350f6
Instruction Fuzzy Hash: 32614BB1A05200AFEF21BFB598C1A6E7B95EF02314F14496FFB04973C2D63D99029768

Function 00468B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00468874,00000000,00000000,00000000,000000FF,00000000), ref: 004A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00468874,00000000,00000000,00000000,000000FF,00000000), ref: 004A692D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d6ea224d0831d8ecc7f011d2e072ff036e97beda03b1142ff807bd8faf5385ff
Instruction ID: 70a74f560001561024b2d6fb145731baf5392b5adfe57bfe0f4c5ba2e4c0c5e7
Opcode Fuzzy Hash: d6ea224d0831d8ecc7f011d2e072ff036e97beda03b1142ff807bd8faf5385ff
Instruction Fuzzy Hash: 30519EB0600209AFDB20CF25CC95FAB37B5FF65750F14461EF902962A0EB78A991DB49

Function 004CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004CC182
GetLastError.KERNEL32 ref: 004CC195
SetEvent.KERNEL32(?), ref: 004CC1A9

Part of subcall function 004CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004CC272
Part of subcall function 004CC253: GetLastError.KERNEL32 ref: 004CC322
Part of subcall function 004CC253: SetEvent.KERNEL32(?), ref: 004CC336
Part of subcall function 004CC253: InternetCloseHandle.WININET(00000000), ref: 004CC341

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4f690bfb2fe212ac54ab55904ffdf41fc1f310656f36786a88a9c5422c6b7a45
Instruction ID: 13e962c0f296bd629c2a9430b9d5512118ea8fb5b38a9c5d93b1ca525e77be20
Opcode Fuzzy Hash: 4f690bfb2fe212ac54ab55904ffdf41fc1f310656f36786a88a9c5422c6b7a45
Instruction Fuzzy Hash: 3831BE79900641AFDB608FA5DCC4F77BBE9FF18300B04446EF95A86611CB34E8119FA9

Function 004B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004B2627

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 18537b439d5485f43ad071151dead102a774424c4bb22639b175e85db70f3278
Instruction ID: a6b3653b2059019c7d702400c011611ebfa4d413fd178b27b89c76585eee77eb
Opcode Fuzzy Hash: 18537b439d5485f43ad071151dead102a774424c4bb22639b175e85db70f3278
Instruction Fuzzy Hash: 4901D830390250BBFB1067699CCAF997F59DF4EB12F100016F314AE0D2C9E114458A7D

Function 004B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004B1449,?,?,00000000), ref: 004B180C
HeapAlloc.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004B1449,?,?,00000000), ref: 004B1828
GetCurrentProcess.KERNEL32(?,00000000,?,004B1449,?,?,00000000), ref: 004B1830
DuplicateHandle.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004B1449,?,?,00000000), ref: 004B1843
GetCurrentProcess.KERNEL32(004B1449,00000000,?,004B1449,?,?,00000000), ref: 004B184B
DuplicateHandle.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B184E
CreateThread.KERNEL32(00000000,00000000,004B1874,00000000,00000000,00000000), ref: 004B1868

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a8e68a4557aced61625c0130b92c8030cc62b012bb9bd92b65168922c77cbc03
Instruction ID: 4ae32e3f3fa548072103d8e53cb22d80d9bc8ab28d421240de61054b40d54715
Opcode Fuzzy Hash: a8e68a4557aced61625c0130b92c8030cc62b012bb9bd92b65168922c77cbc03
Instruction Fuzzy Hash: 8E01A8B5240348BFE710ABA5DCC9F6B7BACEB89B11F404421FA05DB1A2CA749C018F24

Function 004DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004BD501
Part of subcall function 004BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004BD50F
Part of subcall function 004BD4DC: CloseHandle.KERNEL32(00000000), ref: 004BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DA16D
GetLastError.KERNEL32 ref: 004DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 004DA268
GetLastError.KERNEL32(00000000), ref: 004DA273
CloseHandle.KERNEL32(00000000), ref: 004DA2C4

Strings

SeDebugPrivilege, xrefs: 004DA18F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 36cebcc0594704a954c874bdbefde51771eb26cbccc09a52553bdc3dcf25e86b
Instruction ID: f49da5db954e35e5ba721ac0747ba2f26e71a9f493a781365653d33ab67d0e40
Opcode Fuzzy Hash: 36cebcc0594704a954c874bdbefde51771eb26cbccc09a52553bdc3dcf25e86b
Instruction Fuzzy Hash: 976160312042419FD710DF15C4E4F1ABBE1AF44318F58849EE8664B7A3C77AED49CB9A

Function 004E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004E3954
_wcslen.LIBCMT ref: 004E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004E39F4

Strings

SysListView32, xrefs: 004E38F7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 9cb7d56d789a9d507d30770d54360a41f2a338ddd2dba5922e6020f966fc01e2
Instruction ID: 4a982b30bb865aa23a34132c5dcf5d9205a7eb23bebfa405c74c6af391bfc2bc
Opcode Fuzzy Hash: 9cb7d56d789a9d507d30770d54360a41f2a338ddd2dba5922e6020f966fc01e2
Instruction Fuzzy Hash: A741C971900258ABDF219F65CC49BEB7BA9FF08355F10012BF948E7281D7759D81CB98

Function 004BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004BBCFD
IsMenu.USER32(00000000), ref: 004BBD1D
CreatePopupMenu.USER32 ref: 004BBD53
GetMenuItemCount.USER32(015657D0), ref: 004BBDA4
InsertMenuItemW.USER32(015657D0,?,00000001,00000030), ref: 004BBDCC

Strings

2, xrefs: 004BBD37
0, xrefs: 004BBCA8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3ed8b7768e1334a242008696dc527ba87db1c975135a23d52178168e8e2f7478
Instruction ID: 50a1efdd1c48a263da4d8b86e484f7f478c61345fbac3468ac434a80a47f0d90
Opcode Fuzzy Hash: 3ed8b7768e1334a242008696dc527ba87db1c975135a23d52178168e8e2f7478
Instruction Fuzzy Hash: AB51BD70A00205ABDF11CFA9C8C4BEEBBF9EF45314F14462AE4419B291D7BC9941CBB9

Function 00472D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00472D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00472D53
_ValidateLocalCookies.LIBCMT ref: 00472DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00472E0C
_ValidateLocalCookies.LIBCMT ref: 00472E61

Strings

&HG, xrefs: 00472DFE, 00472E07, 00472E18
csm, xrefs: 00472DF6

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HG$csm
API String ID: 1170836740-1363431019
Opcode ID: 4263725fb93a81830641d3f7cceeb7a3f7652b4d5693dffaf8f7a084f637a269
Instruction ID: 4a876ba0beeaefa3cb02043600414a95e27817b127548271d5f4179538d5c9cf
Opcode Fuzzy Hash: 4263725fb93a81830641d3f7cceeb7a3f7652b4d5693dffaf8f7a084f637a269
Instruction Fuzzy Hash: AF41A334E00209ABCF20DF69C945ADEBBB5BF44318F14C15BE81C6B352D779AA05CB95

Function 004BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004BC913

Strings

info, xrefs: 004BC8B4
warning, xrefs: 004BC8FC
stop, xrefs: 004BC8E4
blank, xrefs: 004BC895
question, xrefs: 004BC8CC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b240baa155999a1ff0320fa2809e6b33db6a42c06fb58c357756048e203f7d2e
Instruction ID: 0c0ef8a93f1178d01e060f3c7e7ae30aae5006d69cfe0291ff3f3fb75cfa3b64
Opcode Fuzzy Hash: b240baa155999a1ff0320fa2809e6b33db6a42c06fb58c357756048e203f7d2e
Instruction Fuzzy Hash: 30112772789307BAB700AB149CC2CEB279CDF55329B20402FF504E62C2E7A86E4152BD

Function 004BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004BDE42
gethostname.WSOCK32(?,00000100), ref: 004BDE5C
gethostbyname.WSOCK32(?), ref: 004BDE69
inet_ntoa.WSOCK32(?), ref: 004BDEAB
_strcat.LIBCMT ref: 004BDEB9
WSACleanup.WSOCK32 ref: 004BDEDE

Strings

0.0.0.0, xrefs: 004BDE87

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 115018137cb2592e575e9a8d1dc8448aef09d53589f22cb12f2f1b416859beaa
Instruction ID: fecdf989485a7e57082ba698460e73da4f3c7c627cdecf660cd87439842e887c
Opcode Fuzzy Hash: 115018137cb2592e575e9a8d1dc8448aef09d53589f22cb12f2f1b416859beaa
Instruction Fuzzy Hash: 95113A71804205ABCB24AB31DC8AEEF37ACDF50315F0001BBF5059A091FF79CA828A68

Function 004BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004BED2A
_wcslen.LIBCMT ref: 004BED3B
_wcslen.LIBCMT ref: 004BED79
_wcslen.LIBCMT ref: 004BEDAF
_wcslen.LIBCMT ref: 004BEDDF
_wcslen.LIBCMT ref: 004BEDEF
_wcslen.LIBCMT ref: 004BEE2B
_wcslen.LIBCMT ref: 004BEE5A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 076b55dd7a4035d4ef0288807785f5fac9e3b0b96398ced463b0be807d6d9e89
Instruction ID: 4086cf1a8ac6d2bb9bb066179c64d2d6dd2876665ae93c2aad7077efaaeef737
Opcode Fuzzy Hash: 076b55dd7a4035d4ef0288807785f5fac9e3b0b96398ced463b0be807d6d9e89
Instruction Fuzzy Hash: A641C765C1011876CB51EBF6888A9CF77BCAF85300F00856BE518E3122FB38D245C3AE

Function 0046F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 0046F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004AF454

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6c63043aacec38ce93110a302710cd1be19c34826a1d2c562636324f2dd05f8a
Instruction ID: cdf3bbcb0e9338db31a5ca3bd852ecc615d05ad050361ffee66a97502ad64a11
Opcode Fuzzy Hash: 6c63043aacec38ce93110a302710cd1be19c34826a1d2c562636324f2dd05f8a
Instruction Fuzzy Hash: DE413EB0204780BAD7388B69A8C872B7B916B67314F14443FE4C756761E63D948DCB1F

Function 004E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004E2D1B
GetDC.USER32(00000000), ref: 004E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004E2DE1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1c593c92071a0822d86cca17a074af24bc2e2f7b7cfbe09e30cf17502510d1fc
Instruction ID: 080919da366d5a89f197de2c27c15e3e655893ff9b0f6054e4689172f824e74a
Opcode Fuzzy Hash: 1c593c92071a0822d86cca17a074af24bc2e2f7b7cfbe09e30cf17502510d1fc
Instruction Fuzzy Hash: 8A318F72201254BBEB118F558C8AFFB3BADEB49715F044065FE089E292C6B59C41C7A8

Function 004B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004B5637
_memcmp.LIBVCRUNTIME ref: 004B5659
_memcmp.LIBVCRUNTIME ref: 004B5671
_memcmp.LIBVCRUNTIME ref: 004B5684
_memcmp.LIBVCRUNTIME ref: 004B569E
_memcmp.LIBVCRUNTIME ref: 004B56B1
_memcmp.LIBVCRUNTIME ref: 004B56C9
_memcmp.LIBVCRUNTIME ref: 004B56E4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 22cff26533f8c54bc1f743746588193ce73adaa944f0fd2301521ef4cfff2e10
Instruction ID: 08b6eaefc1e56c50ff9650a292e07304fa542d04b7608de6fe0e0590c4a01d8f
Opcode Fuzzy Hash: 22cff26533f8c54bc1f743746588193ce73adaa944f0fd2301521ef4cfff2e10
Instruction Fuzzy Hash: 6D2198717409097BB21455265D82FFBB35CAF20389F644027FD0C9AA81FB6CEE1581BD

Function 004D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 004D502E, 004D5383
Not an Object type, xrefs: 004D5007

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 302549b7203a6b9858f5f2281da8d21fd9f4a6f0893cdc6d9dae41ff28a7182a
Instruction ID: 2106651474e5c03f926d84854ee149d93c4e4785016704e9cd546e2884bf5c7d
Opcode Fuzzy Hash: 302549b7203a6b9858f5f2281da8d21fd9f4a6f0893cdc6d9dae41ff28a7182a
Instruction Fuzzy Hash: 53D19171A0060A9FDF10CFA8C891BAEB7B5BF48344F14846BE915AB381EB74DD45CB94

Function 00491522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00491651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004917FB,?,004917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004916FB

Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00491777
__freea.LIBCMT ref: 004917A2
__freea.LIBCMT ref: 004917AE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7951f8e80d9a045ca55be718004cf7d4fa6abd8c31dd7481b734bc3b05f41749
Instruction ID: ff179572fa7dbecb7979b10c93fb9f93be5590665937de9cf3699231f47b5640
Opcode Fuzzy Hash: 7951f8e80d9a045ca55be718004cf7d4fa6abd8c31dd7481b734bc3b05f41749
Instruction Fuzzy Hash: EA91B372E00217AEDF209EA4C881AEF7FA59F45724F19457BE901E7261D729CC41CB68

Function 004D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004D4648
VariantInit.OLEAUT32(?), ref: 004D4749
VariantClear.OLEAUT32(?), ref: 004D4753
VariantClear.OLEAUT32(?), ref: 004D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004D45D8, 004D4706, 004D47BE
Incorrect Object type in FOR..IN loop, xrefs: 004D472C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8db161af45f1bc3105a8c9251b36559819b11d0334a9ecfd79299251251a9656
Instruction ID: 48a69b9b47e4a3b7415e3a36e2e70ccbd64bfdb3a96e5b15e36355ee4232bba5
Opcode Fuzzy Hash: 8db161af45f1bc3105a8c9251b36559819b11d0334a9ecfd79299251251a9656
Instruction Fuzzy Hash: 42918F71A00219ABDF20CFA5C894FAF7BB8AF86714F10855BF505AB380D7789945CBA4

Function 004C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C1430

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 111176a579c9f814b1911be9aef6557fee4f094da9359c4642ab26f4df4f936b
Instruction ID: 586325a26f35c6a147280973039d49ea115b152cfec208bfb26e2047b68ce6de
Opcode Fuzzy Hash: 111176a579c9f814b1911be9aef6557fee4f094da9359c4642ab26f4df4f936b
Instruction Fuzzy Hash: D591EF799002189FEB449F95C884FBE77B5FF06319F10406FE940EB2A2D778A841CB98

Function 0046948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 05269a46f144ce43052e6e2abac0a1242dd3aeef2e121d1ef956691e5f74062e
Instruction ID: 562650173d983a91bc9db61991a1154991fab6adb9792e368f6781b327bb1efb
Opcode Fuzzy Hash: 05269a46f144ce43052e6e2abac0a1242dd3aeef2e121d1ef956691e5f74062e
Instruction Fuzzy Hash: F7911771900219EFCB10CFA9CC84AEEBBB8FF49320F14455AE916B7251D778AD42CB65

Function 004D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004D396B
CharUpperBuffW.USER32(?,?), ref: 004D3A7A
_wcslen.LIBCMT ref: 004D3A8A
VariantClear.OLEAUT32(?), ref: 004D3C1F

Part of subcall function 004C0CDF: VariantInit.OLEAUT32(00000000), ref: 004C0D1F
Part of subcall function 004C0CDF: VariantCopy.OLEAUT32(?,?), ref: 004C0D28
Part of subcall function 004C0CDF: VariantClear.OLEAUT32(?), ref: 004C0D34

Strings

AUTOIT.ERROR, xrefs: 004D3A80, 004D3A85
Incorrect Parameter format, xrefs: 004D39A6, 004D3BA1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 47c5dac7f4db1d80d3f1799c86ffde7505e95540fe8649513a17acb304ba2a3c
Instruction ID: 47ba52a9314bf38479c40eda85d537ae32bdcd67a2bb8588797d1f66090283de
Opcode Fuzzy Hash: 47c5dac7f4db1d80d3f1799c86ffde7505e95540fe8649513a17acb304ba2a3c
Instruction Fuzzy Hash: 0E9168746083059FC700DF25C49096AB7E4BF88319F14886FF8899B352DB38EE46CB96

Function 004D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?,?,004B035E), ref: 004B002B
Part of subcall function 004B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0046
Part of subcall function 004B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0054
Part of subcall function 004B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?), ref: 004B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004D4C51
_wcslen.LIBCMT ref: 004D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004D4DCF
CoTaskMemFree.OLE32(?), ref: 004D4DDA

Strings

NULL Pointer assignment, xrefs: 004D4E23, 004D4E52

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a5f2055d99b77dcf2e7d2a98c66f4f6fcc241041ce203878216db2853b0bd12a
Instruction ID: 7a6676aa555c13771866f63afb482abbf87d61b4efb5c13cbdef68a77ec705c5
Opcode Fuzzy Hash: a5f2055d99b77dcf2e7d2a98c66f4f6fcc241041ce203878216db2853b0bd12a
Instruction Fuzzy Hash: 31912871D0021DEFDF10DFA5C890AEEB7B9BF48304F10856AE915AB241DB389A49CF64

Function 004E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004E2183
GetMenuItemCount.USER32(00000000), ref: 004E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004E21DD
_wcslen.LIBCMT ref: 004E2213
GetMenuItemID.USER32(?,?), ref: 004E224D
GetSubMenu.USER32(?,?), ref: 004E225B

Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004E22E3

Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8ebe4b63e49cccc576c303c433f5d39316e8e0b4a7778f0b787cb2c2eb7d54da
Instruction ID: 5f56a10763c89c73615593b72e29c1e6c0d7fb4c32c768bb69c59daf609ce4a5
Opcode Fuzzy Hash: 8ebe4b63e49cccc576c303c433f5d39316e8e0b4a7778f0b787cb2c2eb7d54da
Instruction Fuzzy Hash: 0F71B375A00245AFCB00DF66C981AAEB7F5FF48315F1084AAE916EB341D778EE018B95

Function 004BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004BAEF9
GetKeyboardState.USER32(?), ref: 004BAF0E
SetKeyboardState.USER32(?), ref: 004BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004BB020

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc80342565f82d0d7363db802c26b6684631747d29752d07e17c08576d89f1e2
Instruction ID: c43da3716c5f47a333bc96891f7851ac5e66d7f226ca5818ad0aeeb8972087b9
Opcode Fuzzy Hash: bc80342565f82d0d7363db802c26b6684631747d29752d07e17c08576d89f1e2
Instruction Fuzzy Hash: 8851C1A06047D53DFB3692348845BFB7EA99B06304F08888AE1D9555C2C3DDEC98D7B9

Function 004BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004BAD19
GetKeyboardState.USER32(?), ref: 004BAD2E
SetKeyboardState.USER32(?), ref: 004BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004BAE38

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c061fa7c2fb9f4b597f8cdee4fa042353e75bd2618d516a8fda4d15060b87b58
Instruction ID: 9ec0cc14d4ad381965dff80d80ed242b880a5c4778d412b3b08adf7ff8a898ee
Opcode Fuzzy Hash: c061fa7c2fb9f4b597f8cdee4fa042353e75bd2618d516a8fda4d15060b87b58
Instruction Fuzzy Hash: 9451F4A15447D13DFB3783348C95BFB7EA95B46300F08858AE1D5469C2C398ECA8D77A

Function 0048542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00493CD6,?,?,?,?,?,?,?,?,00485BA3,?,?,00493CD6,?,?), ref: 00485470
__fassign.LIBCMT ref: 004854EB
__fassign.LIBCMT ref: 00485506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00493CD6,00000005,00000000,00000000), ref: 0048552C
WriteFile.KERNEL32(?,00493CD6,00000000,00485BA3,00000000,?,?,?,?,?,?,?,?,?,00485BA3,?), ref: 0048554B
WriteFile.KERNEL32(?,?,00000001,00485BA3,00000000,?,?,?,?,?,?,?,?,?,00485BA3,?), ref: 00485584

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b0b7466c5ba3c17daa1ebe08d321de8b947177fb78a7f45f1604b083954182c1
Instruction ID: 33f85f7e4cf9f11f12c8d7c64fa8d5cc9dd0831a540ceb98ecaf436a9a99b58c
Opcode Fuzzy Hash: b0b7466c5ba3c17daa1ebe08d321de8b947177fb78a7f45f1604b083954182c1
Instruction Fuzzy Hash: 1051E5B0A00648AFDB10DFA8D885AEEBBF9EF09300F14455BF955E7292D734DA41CB64

Function 004D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
Part of subcall function 004D304E: _wcslen.LIBCMT ref: 004D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004D1112
WSAGetLastError.WSOCK32 ref: 004D1121
WSAGetLastError.WSOCK32 ref: 004D11C9
closesocket.WSOCK32(00000000), ref: 004D11F9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e04dc94c97414a1d559cace77acecebecd2f3a12abc08d0a5f602bf1f3fbc85b
Instruction ID: a4e43debbf2f36acd4bdc10f8b82a5a2dfb8309465b1ee57eaa445b2ddf2be29
Opcode Fuzzy Hash: e04dc94c97414a1d559cace77acecebecd2f3a12abc08d0a5f602bf1f3fbc85b
Instruction Fuzzy Hash: F241F531200204AFDB109F54C894BAEB7A9FF45319F14806BFD159B392C778AD45CBA9

Function 004BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004BCF22,?), ref: 004BDDFD

Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004BCF22,?), ref: 004BDE16

lstrcmpiW.KERNEL32(?,?), ref: 004BCF45
MoveFileW.KERNEL32(?,?), ref: 004BCF7F
_wcslen.LIBCMT ref: 004BD005
_wcslen.LIBCMT ref: 004BD01B
SHFileOperationW.SHELL32(?), ref: 004BD061

Strings

\*.*, xrefs: 004BCFF3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 538441cc5cc71797d2000710195022cdd63beaa1c6baf8aaa344f06aca10b24b
Instruction ID: 20ee31348a2bf6af39fc85477d40aa910ec0cf1a16116339a08b71eede12356a
Opcode Fuzzy Hash: 538441cc5cc71797d2000710195022cdd63beaa1c6baf8aaa344f06aca10b24b
Instruction Fuzzy Hash: 61416971D052189FDF12EFA5C9C1AEE77B9AF44344F1004EBE509EB142EB38A645CB64

Function 004E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E2F0B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 23a5e3c81fd46b578abe96728ab51bb60fdd582fedeed748c2e468be305400a1
Instruction ID: eaa44669fe0efbdf322327006fbb610683b6e346d7b1d02968c9fc016cf907b9
Opcode Fuzzy Hash: 23a5e3c81fd46b578abe96728ab51bb60fdd582fedeed748c2e468be305400a1
Instruction Fuzzy Hash: 193116306042A0AFDB208F1DDDC4F6637E8EB6A711F1401A6F9009F2B2CBB5AC459B49

Function 004B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B778F
SysAllocString.OLEAUT32(00000000), ref: 004B7792
SysAllocString.OLEAUT32(?), ref: 004B77B0
SysFreeString.OLEAUT32(?), ref: 004B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004B77DE
SysAllocString.OLEAUT32(?), ref: 004B77EC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c4760256d331228aaf8057fd7ff8a94552b25611e97d5f072c0721bc59c2f2db
Instruction ID: f021eeb9f77dc4d724afe1b3c37dbe55673707a361766928a8bec79f700fa234
Opcode Fuzzy Hash: c4760256d331228aaf8057fd7ff8a94552b25611e97d5f072c0721bc59c2f2db
Instruction Fuzzy Hash: 7321A176604219AFDB10DFA8DCC8CFB77ACEB493647108426B914DB291DA74EC428B78

Function 004B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7868
SysAllocString.OLEAUT32(00000000), ref: 004B786B
SysAllocString.OLEAUT32 ref: 004B788C
SysFreeString.OLEAUT32 ref: 004B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004B78AF
SysAllocString.OLEAUT32(?), ref: 004B78BD

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a7719205a7de85dd63777eab647b9642a5457483822cef6d53aceb31cf598512
Instruction ID: 80431b556f27a236d416cc180e7227ff6fc7a5c5b8d7fefb0270ad0c987b10c2
Opcode Fuzzy Hash: a7719205a7de85dd63777eab647b9642a5457483822cef6d53aceb31cf598512
Instruction Fuzzy Hash: B2217131608204AFDB10AFB8DCC8DAB77ECEB497607108526F915CB2A1D678DC46CB78

Function 004C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C052E

Strings

nul, xrefs: 004C0567

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ff5f99eb11bcd05ac59bec11da0ca88d3ea59e844c7f8b82a1a627d89f0a9b27
Instruction ID: 1cc8f70685700119d761c514f78b764dcafcd35daa5337d6d916b375bdb754a0
Opcode Fuzzy Hash: ff5f99eb11bcd05ac59bec11da0ca88d3ea59e844c7f8b82a1a627d89f0a9b27
Instruction Fuzzy Hash: F0212C79500305EBDF609F69D884F9A7BA4AF44724F204A2EE9A1D62E0D7749942CF28

Function 004C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C0601

Strings

nul, xrefs: 004C0639

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7ca5fa83e7afa85ba399f1bc50ab601d493b45f6ba88ec743b73f90b6a7c4d8d
Instruction ID: dac5f879e01fc21a8bd30cb6fc73f197b3f1cb23fce21c13fcb69a8b085ac7ef
Opcode Fuzzy Hash: 7ca5fa83e7afa85ba399f1bc50ab601d493b45f6ba88ec743b73f90b6a7c4d8d
Instruction Fuzzy Hash: 3B219139600315DBDB608F698C44F9A77A4AF85720F200A1EECA1E72E0D7749861CB18

Function 004E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
Part of subcall function 0045600E: GetStockObject.GDI32(00000011), ref: 00456060
Part of subcall function 0045600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004E4145

Strings

Msctls_Progress32, xrefs: 004E40E3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9961f775eecc48b07899ad583b84faa82997479c8f0a1f8bf4fc577b51235860
Instruction ID: edcf3fac97081afce0a4c3c16b4f557614f5f719c062c48d6a888c94180ae6ca
Opcode Fuzzy Hash: 9961f775eecc48b07899ad583b84faa82997479c8f0a1f8bf4fc577b51235860
Instruction Fuzzy Hash: 4F11E6B114021D7EEF108F65CC85EE77F5DEF08798F014111BA18A2150C6769C21DBA4

Function 0048D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048D7A3: _free.LIBCMT ref: 0048D7CC

_free.LIBCMT ref: 0048D82D

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 0048D838
_free.LIBCMT ref: 0048D843
_free.LIBCMT ref: 0048D897
_free.LIBCMT ref: 0048D8A2
_free.LIBCMT ref: 0048D8AD
_free.LIBCMT ref: 0048D8B8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7c7e8a1ceae6a3a0d87c3874ad26187ca8b1c9d2c9d493479c286c1155fa1f23
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: FD112CB1A42B04AAD521BFB2CC46FCF7B9C6F00704F400C2AF299A60D2DA6DA5454754

Function 004BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004BDA74
LoadStringW.USER32(00000000), ref: 004BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004BDA91
LoadStringW.USER32(00000000), ref: 004BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004BDAB9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 50fd440276859624572946bf6def81670feb3a17f07f964db1e6dcfb23b712b7
Instruction ID: b5911536b8d173fe29ff5293361178925c2714c6f735d5d3b7f2b2d5b19a2a74
Opcode Fuzzy Hash: 50fd440276859624572946bf6def81670feb3a17f07f964db1e6dcfb23b712b7
Instruction Fuzzy Hash: E90186F2900348BFEB109BE09DC9EE7776CEB08301F4445A6B716E6042E6749E858F78

Function 004C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0155E9E0,0155E9E0), ref: 004C097B
EnterCriticalSection.KERNEL32(0155E9C0,00000000), ref: 004C098D
TerminateThread.KERNEL32(?,000001F6), ref: 004C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004C09A9
CloseHandle.KERNEL32(?), ref: 004C09B8
InterlockedExchange.KERNEL32(0155E9E0,000001F6), ref: 004C09C8
LeaveCriticalSection.KERNEL32(0155E9C0), ref: 004C09CF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 33733ac389d4b4e601578230328d25c8380d2cdd81ac3057fb6e63f154bfed1b
Instruction ID: bf133f818181e7c6cfd7257182ec2385ce444c541e165d1630a81422323dc8fc
Opcode Fuzzy Hash: 33733ac389d4b4e601578230328d25c8380d2cdd81ac3057fb6e63f154bfed1b
Instruction Fuzzy Hash: F4F03171842642FBD7415F94EECCBD6BB39FF01702F401426F201588A2C7749466CF98

Function 004D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004D1DE1
WSAGetLastError.WSOCK32 ref: 004D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 004D1EDB
inet_ntoa.WSOCK32(?), ref: 004D1E8C

Part of subcall function 004B39E8: _strlen.LIBCMT ref: 004B39F2

Part of subcall function 004D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004CEC0C), ref: 004D3240

_strlen.LIBCMT ref: 004D1F35

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e220e7f4d6293f95d2a52092f8ebcceded3d990f7c6871b2f121ac9acdcfec50
Instruction ID: fb6b905f8a392edb0ad65f3b4760749f7bbc3849fcd90066e9cf8e3d7ac34f71
Opcode Fuzzy Hash: e220e7f4d6293f95d2a52092f8ebcceded3d990f7c6871b2f121ac9acdcfec50
Instruction Fuzzy Hash: 0BB1CF30204340AFC324DF25C895E2A7BA5AF84318F54894EF8565B3A3DB39ED46CB96

Function 00455D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00455D30
GetWindowRect.USER32(?,?), ref: 00455D71
ScreenToClient.USER32(?,?), ref: 00455D99
GetClientRect.USER32(?,?), ref: 00455ED7
GetWindowRect.USER32(?,?), ref: 00455EF8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b8f5c67d2a04c9fa98a0591e30f0ebcff7b6cf2971253cdffdc4b6cb6af268f0
Instruction ID: 71101542cc2f99033f3d0572dd109bd84f873eb417c301cc9a586ce466e8820f
Opcode Fuzzy Hash: b8f5c67d2a04c9fa98a0591e30f0ebcff7b6cf2971253cdffdc4b6cb6af268f0
Instruction Fuzzy Hash: DEB17B75A0064ADBDB10CFA8C481AFEBBF1FF44311F14841AE8A9D7250D738AA56CB58

Function 004801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004800D6
__allrem.LIBCMT ref: 004800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0048010B
__allrem.LIBCMT ref: 00480122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00480140

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 3e5a55f186a6504e25b88586f0ca2107b70ecf6f4dfa620d71e121eb4704c1e5
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: B181D6726007069FD720AA69CC41BAF73E8AF41328F24893FF455D7781EB79D9048798

Function 004861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004782D9,004782D9,?,?,?,0048644F,00000001,00000001,8BE85006), ref: 00486258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0048644F,00000001,00000001,8BE85006,?,?,?), ref: 004862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004863D8
__freea.LIBCMT ref: 004863E5

Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852

__freea.LIBCMT ref: 004863EE
__freea.LIBCMT ref: 00486413

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 73edb10c4273dec0696220d0027b9a1dbd7624d047d977602fcd4d4bf6f5d580
Instruction ID: 0e2dfc48c25c535498d6a2989cdc784448652a73423253a941ae8f74cba80976
Opcode Fuzzy Hash: 73edb10c4273dec0696220d0027b9a1dbd7624d047d977602fcd4d4bf6f5d580
Instruction Fuzzy Hash: 1451E972A00216ABDB25AF64CC81EBF77A9EF44714F164A6AFC05D6241DB38DC41C768

Function 004DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DBD25
RegCloseKey.ADVAPI32(00000000), ref: 004DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004DBDF3
RegCloseKey.ADVAPI32(?), ref: 004DBDFF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 64a42ca03a3e86f952413a1248173ab1c28bbcea0c682c3d450bedcaa4071a12
Instruction ID: 0e3badcd4d3be27500865405fbd750d26fad8f53363a429a400666574536fc60
Opcode Fuzzy Hash: 64a42ca03a3e86f952413a1248173ab1c28bbcea0c682c3d450bedcaa4071a12
Instruction Fuzzy Hash: 50816970208241EFC714DF24C895E2ABBE5FF84308F15895EF4558B2A2DB35ED09CB96

Function 004AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004AF7B9
SysAllocString.OLEAUT32(00000001), ref: 004AF860
VariantCopy.OLEAUT32(004AFA64,00000000), ref: 004AF889
VariantClear.OLEAUT32(004AFA64), ref: 004AF8AD
VariantCopy.OLEAUT32(004AFA64,00000000), ref: 004AF8B1
VariantClear.OLEAUT32(?), ref: 004AF8BB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: cf3c84fba4b0a11a711ff2164291b86468d0786ce0b6c0e895525090d7a8b8c8
Instruction ID: a38a8d2005bbb057a5ef94a5448e58b880ae93ae883f0cf7e011ae1f2fb8480e
Opcode Fuzzy Hash: cf3c84fba4b0a11a711ff2164291b86468d0786ce0b6c0e895525090d7a8b8c8
Instruction Fuzzy Hash: F251E971500300BADF107BA6D495B2AB3A8EF56314F54446BE805DF292D7789C49C79F

Function 004C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004C94E5
_wcslen.LIBCMT ref: 004C9506
_wcslen.LIBCMT ref: 004C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 004C9585

Strings

X, xrefs: 004C9412

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b43b637d4213056485efa0f88e3cf478e9c73b4a208d3eebc742739b5333ad72
Instruction ID: 146d38e1470ffce4d23e0d4f68a89fa25b61a9aa0f7ce1dda677759399986edf
Opcode Fuzzy Hash: b43b637d4213056485efa0f88e3cf478e9c73b4a208d3eebc742739b5333ad72
Instruction Fuzzy Hash: 8BE1A235508340AFC754DF25C485F6AB7E4BF85318F04896EE8899B3A2DB38DD05CB9A

Function 0046920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

BeginPaint.USER32(?,?,?), ref: 00469241
GetWindowRect.USER32(?,?), ref: 004692A5
ScreenToClient.USER32(?,?), ref: 004692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004692D3
EndPaint.USER32(?,?,?,?,?), ref: 00469321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004A71EA

Part of subcall function 00469339: BeginPath.GDI32(00000000), ref: 00469357

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d782e2256e50f04570cfa898643b4311f12b110711a53e65a3527a0f10134d2a
Instruction ID: d9c5c0b5a9eec057a2b06e2d4b3d2f3a3d63b132c3acb47f432b403ad010e70d
Opcode Fuzzy Hash: d782e2256e50f04570cfa898643b4311f12b110711a53e65a3527a0f10134d2a
Instruction Fuzzy Hash: F841AF70104340AFD720DF25CCD4FAB7BA8EF6A324F04066AF954862A2D7749C46DB6A

Function 004C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004C0847
EnterCriticalSection.KERNEL32(?), ref: 004C0863
LeaveCriticalSection.KERNEL32(?), ref: 004C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004C0921

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 707baab7bef4de5a461e3a0ed40e585bcc8d1229a5ae40edbce2775b375721e5
Instruction ID: 77d259b16aa309cea1122ccad5e799c40fe6d475c12d5cd9d84189210ba1369a
Opcode Fuzzy Hash: 707baab7bef4de5a461e3a0ed40e585bcc8d1229a5ae40edbce2775b375721e5
Instruction Fuzzy Hash: 68417971900205EBDF14AF55DC85AAABB78FF04304F1080AAED009E297DB35DE65DBA8

Function 004E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004AF3AB,00000000,?,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004E824C
EnableWindow.USER32(?,00000000), ref: 004E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004E82D1
ShowWindow.USER32(?,00000004), ref: 004E82E5
EnableWindow.USER32(?,00000001), ref: 004E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004E832F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 81bd29b60db1a23124f62180f1a1aacee44767a34897f8fce9eef15d3972f626
Instruction ID: 096cd033775c9dd68cfa6def7160381438dd85d8521189acc42be66943904489
Opcode Fuzzy Hash: 81bd29b60db1a23124f62180f1a1aacee44767a34897f8fce9eef15d3972f626
Instruction Fuzzy Hash: B1419530601684AFDF25CF16C8D5BA67BE0BF16715F1842AEEA0C5F263C7365846CB58

Function 004B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004B4CEA
_wcslen.LIBCMT ref: 004B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004B4D10
_wcsstr.LIBVCRUNTIME ref: 004B4D1A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: dbd5a75dc1fa14bb97bc670f480cf93c49f15cac86268061181931ceede8ac8e
Instruction ID: 64a9a3d3cbeecfe59a9450fd3146b1a66104911eb4e08337836340722680171e
Opcode Fuzzy Hash: dbd5a75dc1fa14bb97bc670f480cf93c49f15cac86268061181931ceede8ac8e
Instruction Fuzzy Hash: EC21C8726041407BEB155B39EC45ABB7FACDF85754F10803FF805CA293EA69DC0196B5

Function 004C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2

_wcslen.LIBCMT ref: 004C587B
CoInitialize.OLE32(00000000), ref: 004C5995
CoCreateInstance.OLE32(004EFCF8,00000000,00000001,004EFB68,?), ref: 004C59AE
CoUninitialize.OLE32 ref: 004C59CC

Strings

.lnk, xrefs: 004C5876, 004C58C1, 004C5985

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a6a27ee4b70e00131e71313f51c4fc942128644e5291513f09e52dcfe4bace71
Instruction ID: 868f4eb8516b47e9e21cdd2733ce6e092014fda19a46480986ed425de4facdb4
Opcode Fuzzy Hash: a6a27ee4b70e00131e71313f51c4fc942128644e5291513f09e52dcfe4bace71
Instruction Fuzzy Hash: 6ED154796046019FC704DF15C480E2EBBE1EF89319F14495EF8899B362DB39EC85CB96

Function 004B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B0FCA
Part of subcall function 004B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B0FD6
Part of subcall function 004B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B0FE5
Part of subcall function 004B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B0FEC
Part of subcall function 004B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B1002

GetLengthSid.ADVAPI32(?,00000000,004B1335), ref: 004B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004B17BA
HeapAlloc.KERNEL32(00000000), ref: 004B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004B17DA
GetProcessHeap.KERNEL32(00000000,00000000,004B1335), ref: 004B17EE
HeapFree.KERNEL32(00000000), ref: 004B17F5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: db60fcfe99ecdefafef1dddc40ebad5bb1c6bc491f96d05461cd4c497a818088
Instruction ID: df5175da0ee120756aa19e040ece8c04dfe63c094472f9b436d909c99371a761
Opcode Fuzzy Hash: db60fcfe99ecdefafef1dddc40ebad5bb1c6bc491f96d05461cd4c497a818088
Instruction Fuzzy Hash: EA11AF32500205FFDB109FA4CC99BEFBBA9EF42355F50442AF4419B221CB399941CB68

Function 004B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004B1515
CloseHandle.KERNEL32(00000004), ref: 004B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004B1563

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 38a3659681915fffd1dbcec7f9576f025312ae3188af9ce659187c6eea261cf9
Instruction ID: 48a4b5c54220c7e989073a18a6b9a7867d6d1d9698669b5fda9f88c221f3b237
Opcode Fuzzy Hash: 38a3659681915fffd1dbcec7f9576f025312ae3188af9ce659187c6eea261cf9
Instruction Fuzzy Hash: ED11867210024AEBDF11CFA8DE89BDE3BA9EF48704F044026FE05A6160C3758E61DB64

Function 00473382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00473379,00472FE5), ref: 00473390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0047339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004733B7
SetLastError.KERNEL32(00000000,?,00473379,00472FE5), ref: 00473409

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 712654810459d173b976b04379bea3804eca833d48a3e7774ba68aae9d83112e
Instruction ID: db0f3b5651bbe8d04bd1abea82e3e37667f0bbab7a9a18a1e5d4fac6a3a42ee1
Opcode Fuzzy Hash: 712654810459d173b976b04379bea3804eca833d48a3e7774ba68aae9d83112e
Instruction Fuzzy Hash: 1201F532248311AEA6352F756CC95EB2E55DB1977B320C22FF818842F1EF1A5D06714C

Function 00482D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00485686,00493CD6,?,00000000,?,00485B6A,?,?,?,?,?,0047E6D1,?,00518A48), ref: 00482D78
_free.LIBCMT ref: 00482DAB
_free.LIBCMT ref: 00482DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0047E6D1,?,00518A48,00000010,00454F4A,?,?,00000000,00493CD6), ref: 00482DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0047E6D1,?,00518A48,00000010,00454F4A,?,?,00000000,00493CD6), ref: 00482DEC
_abort.LIBCMT ref: 00482DF2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c9173babd28900471ca092e1443c2dc093b96c6699d7f1f8e3e0213a5a9726b0
Instruction ID: 52ac0d5e958260aac3dfb9ee8538e877c9859c93429aa0bb2d6699131bf99b44
Opcode Fuzzy Hash: c9173babd28900471ca092e1443c2dc093b96c6699d7f1f8e3e0213a5a9726b0
Instruction Fuzzy Hash: 78F02D7668550037C21237397E46E5F1D996FC2765F214C1FFC24962D2EFAC9802536D

Function 004E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00469639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696A2
Part of subcall function 00469639: BeginPath.GDI32(?), ref: 004696B9
Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004E8A70
LineTo.GDI32(?,00000000,00000003), ref: 004E8A80
EndPath.GDI32(?), ref: 004E8A90
StrokePath.GDI32(?), ref: 004E8AA0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 582d9e907fc10cf70b8646b1ca9138bac697fcba50469de805380e7ee40c0300
Instruction ID: f9f35fb3ad3d5f3b2ab96a3126711e0950422068464e0ba9980398f565392aad
Opcode Fuzzy Hash: 582d9e907fc10cf70b8646b1ca9138bac697fcba50469de805380e7ee40c0300
Instruction Fuzzy Hash: C211F77600018CFFDF129F91DC88EAA7F6CEB08354F008066FA199A1A1C771AD56DBA4

Function 004B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B5230
ReleaseDC.USER32(00000000,00000000), ref: 004B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004B5261

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4aa2170a06a737fade5b8d774eef323f7fc09b87b7b3a0707f89be2bbebe619e
Instruction ID: 7290082707a7812d903dcb7f91972aa8e2e59eee1e3ca41beea25bbd7d07a09f
Opcode Fuzzy Hash: 4aa2170a06a737fade5b8d774eef323f7fc09b87b7b3a0707f89be2bbebe619e
Instruction Fuzzy Hash: 40014F75A01758BBEB109BF69C89B5FBFB8EB48751F044066FA04AB281D6709801CFA4

Function 00451BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00451BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00451BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00451C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00451C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00451C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00451C22

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 64c0aad4e68872be469e67d010e2d855ce836ef3a67e0e5a36f264d09b142773
Instruction ID: bf17133333990eee6cb0e31be9d78ce8ee44074bd3921cb4c18ee1e3eb36fdb4
Opcode Fuzzy Hash: 64c0aad4e68872be469e67d010e2d855ce836ef3a67e0e5a36f264d09b142773
Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 004BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB75

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: dc5cdc088a92ba683a75fc83163239c4880033eafb86689e553f440ba918c52c
Instruction ID: 2b9b32f8369b4f63a042c406cc65a817a90dc9ecd6c714f1430b89b9a795a048
Opcode Fuzzy Hash: dc5cdc088a92ba683a75fc83163239c4880033eafb86689e553f440ba918c52c
Instruction Fuzzy Hash: C0F05472140198BFE72157629C8DEEF7E7CEFCAB11F000169FA01D5192D7A05A02CAB9

Function 004A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 004A7469
GetWindowDC.USER32(?), ref: 004A7475
GetPixel.GDI32(00000000,?,?), ref: 004A7484
ReleaseDC.USER32(?,00000000), ref: 004A7496
GetSysColor.USER32(00000005), ref: 004A74B0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: e6cec01d4e7ba161fe7a0e14265194e2b51355243ae7effd8b4ba39dae5efd54
Instruction ID: baf15bcfb5f5b7c161e91159beba842a00e6ff84a9b861630623960c68a6ec6d
Opcode Fuzzy Hash: e6cec01d4e7ba161fe7a0e14265194e2b51355243ae7effd8b4ba39dae5efd54
Instruction Fuzzy Hash: E8018B31400255FFDB205F64DC88BAA7BB5FF18311F500165F926A61A2CB311E42AF59

Function 004B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004B187F
UnloadUserProfile.USERENV(?,?), ref: 004B188B
CloseHandle.KERNEL32(?), ref: 004B1894
CloseHandle.KERNEL32(?), ref: 004B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004B18A5
HeapFree.KERNEL32(00000000), ref: 004B18AC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 86be84aaa3148f7a7ca0c449e12fe4958467ea012c4fef8841f0814791c9fc53
Instruction ID: 5d87c4977c9e04f0a713b58718f9ae101553929b77fef8728e9e6116b8e17dad
Opcode Fuzzy Hash: 86be84aaa3148f7a7ca0c449e12fe4958467ea012c4fef8841f0814791c9fc53
Instruction Fuzzy Hash: 18E0ED36004141BBD7015FA1ED8C905FF39FF4A7217108630F62589072CB325422DF54

Function 0045BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045BEB3

Strings

D%R, xrefs: 0045BDED, 0045BD91, 0045BD1B
D%RD%R, xrefs: 0045BCA5
D%R, xrefs: 0045BCA2
D%R, xrefs: 0045BE9A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%R$D%R$D%R$D%RD%R
API String ID: 1385522511-3290291051
Opcode ID: 9d93eb0a436818ed5be7271c2ff501989c9b45578d96020dcfe4bbcf70e9fe7e
Instruction ID: a88f6e3af3835db5cc2c54c0d286b001947133f112c2154567dd44be0d5379e0
Opcode Fuzzy Hash: 9d93eb0a436818ed5be7271c2ff501989c9b45578d96020dcfe4bbcf70e9fe7e
Instruction Fuzzy Hash: 42918B75A0020ADFCB14CF58C0916AAB7F1FF59311F24816ED941AB352D739AD8ACBD8

Function 004D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00470242: EnterCriticalSection.KERNEL32(0052070C,00521884,?,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047024D
Part of subcall function 00470242: LeaveCriticalSection.KERNEL32(0052070C,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047028A

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9

__Init_thread_footer.LIBCMT ref: 004D7BFB

Part of subcall function 004701F8: EnterCriticalSection.KERNEL32(0052070C,?,?,00468747,00522514), ref: 00470202
Part of subcall function 004701F8: LeaveCriticalSection.KERNEL32(0052070C,?,00468747,00522514), ref: 00470235

Strings

5, xrefs: 004D7C78
+TJ, xrefs: 004D7E2E
Variable must be of type 'Object'., xrefs: 004D7C3A
G, xrefs: 004D7C7F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TJ$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1441542163
Opcode ID: 1bc855495fb7830052cf0080348b970a9329c36da51f96cb58b6ff97dd051d2f
Instruction ID: a61a0fc5c6901a662c878f4d8a59e5a8536b6b02a47f5ec6e049141e2b55d668
Opcode Fuzzy Hash: 1bc855495fb7830052cf0080348b970a9329c36da51f96cb58b6ff97dd051d2f
Instruction Fuzzy Hash: 50919D74604208EFCB14EF55D8A19AEB7B2BF45304F10804FF8066B392EB39AE45CB59

Function 004BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004BC6EE
_wcslen.LIBCMT ref: 004BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004BC7CA

Strings

0, xrefs: 004BC6AF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 83292a1563364f6541b0745c4ac8fe600a3bfbb2a1f8fd4107d310ee176d99e2
Instruction ID: 811071f5047ddb328ba0b11cdc7ae0b4d393c385adea325370aaa08bb6a2c11b
Opcode Fuzzy Hash: 83292a1563364f6541b0745c4ac8fe600a3bfbb2a1f8fd4107d310ee176d99e2
Instruction Fuzzy Hash: 1351EF716043029BD7109F29C8C5BAB77E8AF99314F040A2FF995D3291DB68D808DB6A

Function 004DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004DAEA3

Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625

GetProcessId.KERNEL32(00000000), ref: 004DAF38
CloseHandle.KERNEL32(00000000), ref: 004DAF67

Strings

@, xrefs: 004DAE72
<, xrefs: 004DAE6B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ce4eb3bd2eb24c623297989040fc55df4bc075520bef4da0af1befd6b174f8aa
Instruction ID: c39075906de9554c2ede8b46c300d85fb358502159652f4085cd7375f6312a97
Opcode Fuzzy Hash: ce4eb3bd2eb24c623297989040fc55df4bc075520bef4da0af1befd6b174f8aa
Instruction Fuzzy Hash: 9C717A71A00218DFCB14DF55C494A9EBBF1BF08318F0484AEE856AB392D778ED45CB99

Function 004B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B72CF

Strings

DllGetClassObject, xrefs: 004B7242

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 14bee8ff27f72fe658cc14af042c1a0d9e645e7db99ee2bcd211a2d8accd0f4f
Instruction ID: 08bb449fff92b4b97e30436468f1c0ad59709b8d9758a849e391482b4613c6a0
Opcode Fuzzy Hash: 14bee8ff27f72fe658cc14af042c1a0d9e645e7db99ee2bcd211a2d8accd0f4f
Instruction Fuzzy Hash: 6A416071A042049FDB19CF64C8C4ADA7BA9EF84314F1480AEFD059F24AD7B8DA45DBB4

Function 004E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E3E35
IsMenu.USER32(?), ref: 004E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E3E92
DrawMenuBar.USER32 ref: 004E3EA5

Strings

0, xrefs: 004E3D89

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ea5bdbecbfd5be987b5875ee04169467b03eff64d457b85b04aa0f3cdd4b1a50
Instruction ID: df079b39a80dba305d7c422e3f8ce8b7afe468bed9bb8d93750dfdfd54887ca3
Opcode Fuzzy Hash: ea5bdbecbfd5be987b5875ee04169467b03eff64d457b85b04aa0f3cdd4b1a50
Instruction Fuzzy Hash: B3419A74A00249EFDB11DF55D888EAABBB5FF49352F04412AE801AB350C334AE45CF54

Function 004B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 004B1EA9

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

Strings

ComboBox, xrefs: 004B1DF0
ListBox, xrefs: 004B1E25

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 061a9a415881ebc2e53faa74b68206e23a9fa7f80f08ba61e4226230ee089d11
Instruction ID: 29ae5983d59f8c8eff1cb95b91d2f8d5b20e3181e606a262d666a3bd0fdc81d5
Opcode Fuzzy Hash: 061a9a415881ebc2e53faa74b68206e23a9fa7f80f08ba61e4226230ee089d11
Instruction Fuzzy Hash: 56212671A00144AADB14ABA5DC95CFFBBB9EF41354B50412FFC11A72E2DB3C8D0A9638

Function 004E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004E2F8D
LoadLibraryW.KERNEL32(?), ref: 004E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004E2FA9
DestroyWindow.USER32(?), ref: 004E2FB1

Strings

SysAnimate32, xrefs: 004E2F68

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 849049d0c7ec15f651841964812cd456d54ec8580d79f91ef56eae38e7181b0f
Instruction ID: e7856e802e3b23f4a36c8234e09159df32922829e39b2f19d5cfe6d893aee216
Opcode Fuzzy Hash: 849049d0c7ec15f651841964812cd456d54ec8580d79f91ef56eae38e7181b0f
Instruction Fuzzy Hash: 2321F371600285ABEB104F66DD80FBB37BDFF59329F10022AF910D6290D7B5DC51A768

Function 00474D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00474D1E,004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002), ref: 00474D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00474DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00474D1E,004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000), ref: 00474DC3

Strings

CorExitProcess, xrefs: 00474D98
mscoree.dll, xrefs: 00474D86

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cf5a45ddad33a79fc863c7f1c7b6b8c73d56e1da3e7564f10386378fab467967
Instruction ID: 3ef788440981f6b8aea911efdcba22fa167630ef685cfca05edfb768fe5731b2
Opcode Fuzzy Hash: cf5a45ddad33a79fc863c7f1c7b6b8c73d56e1da3e7564f10386378fab467967
Instruction Fuzzy Hash: E7F04434540208BBDB115F90DC89BEEBFF5EF44752F0041A9F909A6251DB355941DA98

Function 00454E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00454EAE
FreeLibrary.KERNEL32(00000000,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EC0

Strings

kernel32.dll, xrefs: 00454E94
Wow64DisableWow64FsRedirection, xrefs: 00454EA8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f4e450fa4208dfaf72deff573a77bc24d99164436a025f67b42970810928f124
Instruction ID: 31f045f5be5f7d6e093344b38797d584aba256231469b0bdbaf916404625b50d
Opcode Fuzzy Hash: f4e450fa4208dfaf72deff573a77bc24d99164436a025f67b42970810928f124
Instruction Fuzzy Hash: C2E08635A016225B922117256C99B5BA654AFC2F677050126FC00DB206DB68CD4644A8

Function 00454E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00454E74
FreeLibrary.KERNEL32(00000000,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E87

Strings

kernel32.dll, xrefs: 00454E5B
Wow64RevertWow64FsRedirection, xrefs: 00454E6E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: bb450ee11cd9d006db0c38fce0f06f49a7092d028197165edf19d20fbd56a869
Instruction ID: 24baf2896b9e75f0fcc698adcd0e9b0ced203b1767472a4d630d714f5f36501a
Opcode Fuzzy Hash: bb450ee11cd9d006db0c38fce0f06f49a7092d028197165edf19d20fbd56a869
Instruction Fuzzy Hash: B2D0C2319026615B56221B257C99E8BAA18AFC1F263050226BC00AE216CF28CD42C9DC

Function 004C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2C05
DeleteFileW.KERNEL32(?), ref: 004C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2CC0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 24e4e2d0235b2305c3aae3070e5bea5c2c455639810f05d9d9edb5ee702bfebf
Instruction ID: 1d3678c79605a83571f4095e746ea91141dc5ac6b2a73ca7d87cf5b56c946261
Opcode Fuzzy Hash: 24e4e2d0235b2305c3aae3070e5bea5c2c455639810f05d9d9edb5ee702bfebf
Instruction Fuzzy Hash: 95B16F75D00119ABDF11DFA5CD85EEEBB7DEF08314F0040ABFA09E6141EAB89A448F65

Function 004DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004DA468
CloseHandle.KERNEL32(?), ref: 004DA63D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 74a0f5c7fd617eb46eb9ecbc5e500c10d7b58348ac4fec99156651eb6ba6e3a8
Instruction ID: 5cc2542883f451fd78208666819e5163888eca5478cb5aa47287c4518f9d953a
Opcode Fuzzy Hash: 74a0f5c7fd617eb46eb9ecbc5e500c10d7b58348ac4fec99156651eb6ba6e3a8
Instruction Fuzzy Hash: 95A1A171604300AFD720DF25D892B2AB7E1AF84718F14885EF9999B3D2DB74EC45CB86

Function 0048BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004F3700), ref: 0048BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0052121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0048BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00521270,000000FF,?,0000003F,00000000,?), ref: 0048BC36
_free.LIBCMT ref: 0048BB7F

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 0048BD4B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: dd7797affdd68727560d02f0d9ed3e271df0c8ada8f62256d5f66ab053141566
Instruction ID: f12ca3b201b95787e9b9b308a6dd04be54c88e22ec8bb998f283099874e0233b
Opcode Fuzzy Hash: dd7797affdd68727560d02f0d9ed3e271df0c8ada8f62256d5f66ab053141566
Instruction Fuzzy Hash: 8151E771900209EFCB20FF669C819AFBBB8EF51314B104A6FF454D7291EB349E459B98

Function 004BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004BCF22,?), ref: 004BDDFD

Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004BCF22,?), ref: 004BDE16

Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A

lstrcmpiW.KERNEL32(?,?), ref: 004BE473
MoveFileW.KERNEL32(?,?), ref: 004BE4AC
_wcslen.LIBCMT ref: 004BE5EB
_wcslen.LIBCMT ref: 004BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004BE650

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: de29c65b8caffd267e82e24e39eb8bd01f2b2a9946fb14cc57e461e5763d3fe9
Instruction ID: 63a997946a9391f2d5726b5e574654bff86630157ad568f1c5bde9c77e6066b1
Opcode Fuzzy Hash: de29c65b8caffd267e82e24e39eb8bd01f2b2a9946fb14cc57e461e5763d3fe9
Instruction Fuzzy Hash: FB5151B24083859BC724EBA5DC819DB73DCAFC4344F00492FF68993152EF78A588876E

Function 004DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004DBB63
RegCloseKey.ADVAPI32(?,?), ref: 004DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 004DBBB3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e1628b72971712476fd4212b9bce7d1329d49797e8677d179404d2256214b1d2
Instruction ID: bdab7a8a5ced6753931f5f6ab87d2e75d7851e0a5f23e812f40c9d0b98d3cbea
Opcode Fuzzy Hash: e1628b72971712476fd4212b9bce7d1329d49797e8677d179404d2256214b1d2
Instruction Fuzzy Hash: 0A616A31208241EFC714DF14C8A0E2ABBE5EF84308F55895EF4994B3A2DB35ED46CB96

Function 004B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004B8BCD
VariantClear.OLEAUT32 ref: 004B8C3E
VariantClear.OLEAUT32 ref: 004B8C9D
VariantClear.OLEAUT32(?), ref: 004B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004B8D3B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e774bcc6e902446e2baa4ec44179fd0c09f7227e9c2debf2e9b3e86da5a7c0ae
Instruction ID: ecf6d840093819321dd23be7e7e914885e58e0fcc7c0324841140a935cd3cdbe
Opcode Fuzzy Hash: e774bcc6e902446e2baa4ec44179fd0c09f7227e9c2debf2e9b3e86da5a7c0ae
Instruction Fuzzy Hash: DA516DB5A00219DFCB10CF68D894AEAB7F8FF89314B15855AE905DB350D734E911CFA4

Function 004C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004C8C5F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 46ff6b6ccb25302f8f548fb9484ce6bf34da98b1e0f05146bbf4c072aa94adbc
Instruction ID: 85c21d943059fe8e9ec827d25a267736269a1d59acd70e6db482de317d0ed2f0
Opcode Fuzzy Hash: 46ff6b6ccb25302f8f548fb9484ce6bf34da98b1e0f05146bbf4c072aa94adbc
Instruction Fuzzy Hash: AA515E35A00218AFCB00DF65C880E6ABBF5FF49318F08805DE849AB362DB35ED55CB94

Function 004D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 004D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 004D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 004D9032
FreeLibrary.KERNEL32(00000000), ref: 004D9052

Part of subcall function 0046F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004C1043,?,7529E610), ref: 0046F6E6
Part of subcall function 0046F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004AFA64,00000000,00000000,?,?,004C1043,?,7529E610,?,004AFA64), ref: 0046F70D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f20ce0b3ad84bd9f26a50a2a66d97ab827ca944476637c7770a2e54eff240443
Instruction ID: 7fbab859300cd13ae53c770948070849a22851b18b1289be4fd270603c644078
Opcode Fuzzy Hash: f20ce0b3ad84bd9f26a50a2a66d97ab827ca944476637c7770a2e54eff240443
Instruction Fuzzy Hash: EF513B35600205DFC715EF69C4948ADBBF1FF49318B0480AEE8459B362DB35ED8ACB95

Function 004E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004CAB79,00000000,00000000), ref: 004E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004E6CC7

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6e71ccd5161b84b954db03eb2ffb974cb24345a01f97387eaad83ee5528fb7fd
Instruction ID: bfb77c1cb84d3236f08036cf6894c5b0378bcbdbcb1f11f78f24bded373ac0ce
Opcode Fuzzy Hash: 6e71ccd5161b84b954db03eb2ffb974cb24345a01f97387eaad83ee5528fb7fd
Instruction Fuzzy Hash: 7841F935600194AFD724CF3ACC84FA67BA4EB19391F26022AFD95A73E1C375ED41C648

Function 00482051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004820C3
_free.LIBCMT ref: 004820E3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1fef0180453f7d1c2559ad33661ded7db70e6717977578823f1919f88c90a950
Instruction ID: fd6a5681b5c7c79d6da7d692cca0f36eeafa61d7de45f9f72ed8165d60f7c1b0
Opcode Fuzzy Hash: 1fef0180453f7d1c2559ad33661ded7db70e6717977578823f1919f88c90a950
Instruction Fuzzy Hash: 56410472A002009FCB20EF79C984A5EB7E1EF89314F25896AE615EB391D775ED01CB85

Function 0046912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00469141
ScreenToClient.USER32(00000000,?), ref: 0046915E
GetAsyncKeyState.USER32(00000001), ref: 00469183
GetAsyncKeyState.USER32(00000002), ref: 0046919D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3478a9299a0400a2eed0ee24435310c49e5c76b539e1031caa54568332d8e43e
Instruction ID: cdfde70832719423e881d976feb25c9ef5b055336dd6999a764fda51193bcd94
Opcode Fuzzy Hash: 3478a9299a0400a2eed0ee24435310c49e5c76b539e1031caa54568332d8e43e
Instruction Fuzzy Hash: AC419271A0821AFBDF159F64C844BEEB7B8FB06324F20422AE425A73D0D7785D51CB96

Function 004C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004C3922
TranslateMessage.USER32(?), ref: 004C394B
DispatchMessageW.USER32(?), ref: 004C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004C3966

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 104c0fa2dc836efaa6a81ebadec3bb35c61cb9ae4df5245077574903169a7117
Instruction ID: 128dba720f2c012306bb89ab16eb5a02edd89244321442b01e2dfc4ddc3fff4a
Opcode Fuzzy Hash: 104c0fa2dc836efaa6a81ebadec3bb35c61cb9ae4df5245077574903169a7117
Instruction Fuzzy Hash: 9E31DDB45047829EEB75CF349848F7737E4AF26305F04856FD45286290D3B89686DB1D

Function 004CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFF2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7931f8d5589dc99f1ccdc7faefb003ae7eb4f9be2b3e2dc251534859cf33a7c8
Instruction ID: 119fe2d349f9660806af13827b9fde6e761ac7533c6815b27c1fbec909cf7b53
Opcode Fuzzy Hash: 7931f8d5589dc99f1ccdc7faefb003ae7eb4f9be2b3e2dc251534859cf33a7c8
Instruction Fuzzy Hash: 2A317F75900205EFDB60DFA5D8C4EABBBFAEB04314B10446FF51AD6281E738ED419B68

Function 004B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004B19E2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 67647ae661e3c0c6b2b84be084d0523a5484a931b2d2706a35ba93faf3bf7964
Instruction ID: 9368e60f4f09f495132916533d0570b387f17596fcdec7215b8e49cb85f6accc
Opcode Fuzzy Hash: 67647ae661e3c0c6b2b84be084d0523a5484a931b2d2706a35ba93faf3bf7964
Instruction Fuzzy Hash: D431E4B1900259EFCB00CFA8CD98ADF7BB5EB04314F004226F921AB2E1C3749945CBA4

Function 004E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004E579D
_wcslen.LIBCMT ref: 004E57AF
_wcslen.LIBCMT ref: 004E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004E5816

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f48b3f32c8712dc6baeb0e99f95086b8939aa30007cf6f005f97a126d235ee90
Instruction ID: 39f4cdc8676a8866c38746a5e6007f17acded086a638ff7449b73bbfa28464a1
Opcode Fuzzy Hash: f48b3f32c8712dc6baeb0e99f95086b8939aa30007cf6f005f97a126d235ee90
Instruction Fuzzy Hash: 9821A7719046989ADB20DF62CC84AEE7778FF04329F108217E919DB2C1D7748985CF59

Function 004D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004D0951
GetForegroundWindow.USER32 ref: 004D0968
GetDC.USER32(00000000), ref: 004D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 004D09B0
ReleaseDC.USER32(00000000,00000003), ref: 004D09E8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 452e1be08ff62ba4cafc211acda8119206dad9cd250aad6cb627c26e3a3bbccd
Instruction ID: f3977322c7edcb369f810050333e0939211247eedf678b8cd2628485cb69d0cc
Opcode Fuzzy Hash: 452e1be08ff62ba4cafc211acda8119206dad9cd250aad6cb627c26e3a3bbccd
Instruction Fuzzy Hash: DD21A175600204AFD704EF69C894EAEBBE5EF44704F00807EE84ADB362DB34AC05CB94

Function 0048CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0048CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048CDE9

Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0048CE0F
_free.LIBCMT ref: 0048CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048CE31

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cff37b1021203a4c7c984b9f212cee9aee39ff7b70cfd21175b84603f2658f87
Instruction ID: 8731bd927e151461863007937a881e210c9f941fade8ab3ba0f58189c6c80b24
Opcode Fuzzy Hash: cff37b1021203a4c7c984b9f212cee9aee39ff7b70cfd21175b84603f2658f87
Instruction Fuzzy Hash: 9D01D4726012557F23213ABA6CC8C7F696DDFC6BA1315052FFD05C7201EA788D0283B8

Function 00469639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
SelectObject.GDI32(?,00000000), ref: 004696A2
BeginPath.GDI32(?), ref: 004696B9
SelectObject.GDI32(?,00000000), ref: 004696E2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: feb6a1463d2ebd40287c37fc6d4b90bb8ac2cccdc7f7a4cc3db4c80ea62712a9
Instruction ID: e6407285554fd42b592b9c672f0ce0035e457a91f10de16a4e1503a1f05393c1
Opcode Fuzzy Hash: feb6a1463d2ebd40287c37fc6d4b90bb8ac2cccdc7f7a4cc3db4c80ea62712a9
Instruction Fuzzy Hash: 05214C70802749EBDB219F64DC447AB7B69BF32315F100226F410961B1E3B85C9BEB9E

Function 004B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004B5726
_memcmp.LIBVCRUNTIME ref: 004B5744
_memcmp.LIBVCRUNTIME ref: 004B5757
_memcmp.LIBVCRUNTIME ref: 004B576F
_memcmp.LIBVCRUNTIME ref: 004B5787

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0a9dca4f37dc450cb5ae7afae9aa81646e32d39eb1eb10b77513d8250a021b76
Instruction ID: f85a4c261ad5d736144c7814db7d4c1b5ff4d5e86f5d40c1764f9d3e3bcb4b11
Opcode Fuzzy Hash: 0a9dca4f37dc450cb5ae7afae9aa81646e32d39eb1eb10b77513d8250a021b76
Instruction Fuzzy Hash: 22019671741605BAB20855169D42FFBB35C9B21399F204037FD089A641FA6CEE1582BD

Function 00482DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0047F2DE,00483863,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6), ref: 00482DFD
_free.LIBCMT ref: 00482E32
_free.LIBCMT ref: 00482E59
SetLastError.KERNEL32(00000000,00451129), ref: 00482E66
SetLastError.KERNEL32(00000000,00451129), ref: 00482E6F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c94831fbad2deb581765603e2e31604789e3cb8f14cca72eaf161aafa0a50587
Instruction ID: ca19448120cee76e731c09f37ea18e034953b99fbb6613b60ae7a966b394a3d3
Opcode Fuzzy Hash: c94831fbad2deb581765603e2e31604789e3cb8f14cca72eaf161aafa0a50587
Instruction Fuzzy Hash: 7C01D67228560067861237396E85D3F1559AFD1769B214C2BF825A22D3EBAC8802832C

Function 004B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?,?,004B035E), ref: 004B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?), ref: 004B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0070

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 33888b51a7025070253a6932a2c96c38b73bef0e4034cc1f1bf643e9e34d7c02
Instruction ID: d6c30c212f01e256d5a4e418107867a1aa0ca3134124eebec1af544975e0b167
Opcode Fuzzy Hash: 33888b51a7025070253a6932a2c96c38b73bef0e4034cc1f1bf643e9e34d7c02
Instruction Fuzzy Hash: 4F018B72600204BFDB116F68EC84BEB7AADFB44793F144125F905EA211EB79DD418BA4

Function 004BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004BE9A5
Sleep.KERNEL32(00000000), ref: 004BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004BE9B7
Sleep.KERNEL32 ref: 004BE9F3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d7a781e61fb6d1acf8758fa38b3048727936a6ab5adf6455ef6d04c43d38183e
Instruction ID: 314cb6233a28e0b787f67797ae1da2031fbaddf6509e89d5165a76f4e9edd6d3
Opcode Fuzzy Hash: d7a781e61fb6d1acf8758fa38b3048727936a6ab5adf6455ef6d04c43d38183e
Instruction Fuzzy Hash: 51012D71C01529DBCF009FE6DD996EDFB78FF49701F000556E502B6241CB38955ACBAA

Function 004B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6ce605d21eddaaee77b9d662d49912067baf266a5483eb880188bd677b70bd7f
Instruction ID: 47ce42ff8fc2d64c3f5421635dbffcb67a450f964b79e9977aca82d2b1dfad9b
Opcode Fuzzy Hash: 6ce605d21eddaaee77b9d662d49912067baf266a5483eb880188bd677b70bd7f
Instruction Fuzzy Hash: BF011D75100205BFDB114FA9DC99AAB3B6EEF8A360B504429FA45D7361DA31DC019A74

Function 004B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B1002

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cd505c0b8730582cd31cb3585e9a3a9f1898ad58741a3f97894d915453a00b7e
Instruction ID: 9566d6453651bfeddf8f800533ad73362c86cbd6c40233cda28abafa6308174c
Opcode Fuzzy Hash: cd505c0b8730582cd31cb3585e9a3a9f1898ad58741a3f97894d915453a00b7e
Instruction Fuzzy Hash: 92F0A935200345ABDB211FA49CCDF973BADEF8A762F500425FE05DA262CA30DC418A64

Function 004B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1062

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8936425d9f12a3b5c14f6e9f53aff1ee0258b22a36c2be5faf62448deb67c76c
Instruction ID: 2afbcc1854334d6b66663703475c19669976815423687b6de2599575f595de55
Opcode Fuzzy Hash: 8936425d9f12a3b5c14f6e9f53aff1ee0258b22a36c2be5faf62448deb67c76c
Instruction Fuzzy Hash: 63F0CD35200341EBDB212FA4ECD8F973BADEF8A761F100425FE05EB261CA30D8418A74

Function 004C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0324
CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0331
CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C033E
CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C034B
CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0358
CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0365

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 204aa1a763946fa0f1e05a3b7dc12b7f3c628e5ca66d4685899d8c67b73c38d4
Instruction ID: 985e538c2df6f0c97780b6239d63644c01876dd86561b3278f7b09693f1fdd63
Opcode Fuzzy Hash: 204aa1a763946fa0f1e05a3b7dc12b7f3c628e5ca66d4685899d8c67b73c38d4
Instruction Fuzzy Hash: A401DC76800B81CFCB30AF66D880813FBF9BF602153048A3FD59252A31C3B4A949CE84

Function 0048D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0048D752

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 0048D764
_free.LIBCMT ref: 0048D776
_free.LIBCMT ref: 0048D788
_free.LIBCMT ref: 0048D79A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 67c216abdaa2063e021cc9723780b37122cf033d08518f76fdc0bdbba978a87b
Instruction ID: cb241760b06db882ea1c6bf228bf9f05597ab54ef16dd6cc4b2b4a160dbf744e
Opcode Fuzzy Hash: 67c216abdaa2063e021cc9723780b37122cf033d08518f76fdc0bdbba978a87b
Instruction Fuzzy Hash: B3F04FB2A41204AB8621FB69FAC1C5F7BEDBB04310B954C0BF049D7642C72DFC808768

Function 004B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004B5C6F
MessageBeep.USER32(00000000), ref: 004B5C87
KillTimer.USER32(?,0000040A), ref: 004B5CA3
EndDialog.USER32(?,00000001), ref: 004B5CBD

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 87bd2b6aa4324dbdd151b613b120ac71108dd1d3c4bf8b77c272c6c8f20a080a
Instruction ID: 991dfa8aa43a5e132f54f8773face458731c0a47ecce11af0d85ddac589fc5ea
Opcode Fuzzy Hash: 87bd2b6aa4324dbdd151b613b120ac71108dd1d3c4bf8b77c272c6c8f20a080a
Instruction Fuzzy Hash: 97018B305007449BFB205B20DDCEFE7BBB9BF00705F00066AA543A50E1D7F469458A99

Function 004822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004822BE

Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0

_free.LIBCMT ref: 004822D0
_free.LIBCMT ref: 004822E3
_free.LIBCMT ref: 004822F4
_free.LIBCMT ref: 00482305

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4b9d9d4beb7ffb054854075998280dd095edf8c611501786b29764f147457e1e
Instruction ID: 86e0de0a3a47c05eaa7089e61b3b54e273a57fc7bf72faf113da79f4d3f6d4fa
Opcode Fuzzy Hash: 4b9d9d4beb7ffb054854075998280dd095edf8c611501786b29764f147457e1e
Instruction Fuzzy Hash: 69F030F85815109B8622BF55BE4184D3F64BB3A750701294BF410D22B2C7791457BBAC

Function 004695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004695D4
StrokeAndFillPath.GDI32(?,?,004A71F7,00000000,?,?,?), ref: 004695F0
SelectObject.GDI32(?,00000000), ref: 00469603
DeleteObject.GDI32 ref: 00469616
StrokePath.GDI32(?), ref: 00469631

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d1f44561877719925fdcf06bd984d838db263a7980c34530c27b2ff103adb97b
Instruction ID: eb01b8b4b222b8ed05f10483239796ec832c39e3c9079f3728506eca9a5c834d
Opcode Fuzzy Hash: d1f44561877719925fdcf06bd984d838db263a7980c34530c27b2ff103adb97b
Instruction Fuzzy Hash: DAF06D31006788EBC7264F64EC88B663B65AB22322F008224F425591F1D774499BEF2D

Function 00480F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004810F9
__freea.LIBCMT ref: 00481117

Part of subcall function 00481537: _free.LIBCMT ref: 0048154F

Strings

am/pm, xrefs: 0048117A
a/p, xrefs: 004811DE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2cf32d43858787bfddf2db20b74720dfc6441e489ff6e6c4365dbd76614b51bd
Instruction ID: 28bdc92f05109c1edeb900fb14c892de6229e83cc1e0014bdf6551fc5eca774a
Opcode Fuzzy Hash: 2cf32d43858787bfddf2db20b74720dfc6441e489ff6e6c4365dbd76614b51bd
Instruction Fuzzy Hash: F1D1D331900205CAEB25AF68C845AFFB7B8EF06700F14495BE905ABB61D37D9D83CB59

Function 004D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00470242: EnterCriticalSection.KERNEL32(0052070C,00521884,?,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047024D
Part of subcall function 00470242: LeaveCriticalSection.KERNEL32(0052070C,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047028A

Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9

__Init_thread_footer.LIBCMT ref: 004D6238

Part of subcall function 004701F8: EnterCriticalSection.KERNEL32(0052070C,?,?,00468747,00522514), ref: 00470202
Part of subcall function 004701F8: LeaveCriticalSection.KERNEL32(0052070C,?,00468747,00522514), ref: 00470235

Part of subcall function 004C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004C35E4
Part of subcall function 004C359C: LoadStringW.USER32(00522390,?,00000FFF,?), ref: 004C360A

Strings

x#R, xrefs: 004D636F
x#R, xrefs: 004D633A
x#R, xrefs: 004D6353

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#R$x#R$x#R
API String ID: 1072379062-4169567378
Opcode ID: cde4a2d773077c1e74365c6aa35e660bee6d1337ded1aa939ad80c215012e5b4
Instruction ID: b8f11610e78d5f35b1950b315f39de64def1f0e806bc82de073d090920cc64d6
Opcode Fuzzy Hash: cde4a2d773077c1e74365c6aa35e660bee6d1337ded1aa939ad80c215012e5b4
Instruction Fuzzy Hash: C5C17B71A00105ABCB14EF59D8A0EBAB7B9EF48304F11806FE9059B391DB78ED45CB99

Function 00485AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOE, xrefs: 00485BA8, 00485C6C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: JOE
API String ID: 0-4078647249
Opcode ID: faff96f762d5cbee51d1821edaf495a0245764b5aff707f579d130e4e19cebbd
Instruction ID: ec665c1d7802b9e7d7e9bb2f6477486f65e625d6e4aa7639b49578954dfa7754
Opcode Fuzzy Hash: faff96f762d5cbee51d1821edaf495a0245764b5aff707f579d130e4e19cebbd
Instruction Fuzzy Hash: D4511075D006099FCB21BFA9C845FEFBBB8AF15314F10085BF404A7292D7399942CB6A

Function 00488A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00488B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00488B7A
__dosmaperr.LIBCMT ref: 00488B81

Strings

.G, xrefs: 00488A63

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .G
API String ID: 2434981716-1092520701
Opcode ID: bbae34bdba125c8f7410ffb479ca44e916e22b6dee9fff26c5a26de64fab5ecf
Instruction ID: 12ada02025360ea328d86a3cdbf68ca72813bcb5ab11bd5f0a650456d045d90a
Opcode Fuzzy Hash: bbae34bdba125c8f7410ffb479ca44e916e22b6dee9fff26c5a26de64fab5ecf
Instruction Fuzzy Hash: DB415E70504045AFDB24AF14C880A7E7FA6DFC6304B2849AFF89587683DE399C039758

Function 004B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004B21D0,?,?,00000034,00000800,?,00000034), ref: 004BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004B2760

Part of subcall function 004BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004BB3F8

Part of subcall function 004BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004BB355
Part of subcall function 004BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004B2194,00000034,?,?,00001004,00000000,00000000), ref: 004BB365
Part of subcall function 004BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004B2194,00000034,?,?,00001004,00000000,00000000), ref: 004BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004B281A

Strings

@, xrefs: 004B2832

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d191273f738626435f18ea34aefb4d87d6d151ff54e4392306b27685ca8ee68c
Instruction ID: f591848d7f6772c1c9a46a8bf0ecaa65ec13386a0ca3c1696fcfe18ab0d8be80
Opcode Fuzzy Hash: d191273f738626435f18ea34aefb4d87d6d151ff54e4392306b27685ca8ee68c
Instruction Fuzzy Hash: 08413D72900218AFDB10DFA4CD85AEEBBB8EF09704F00405AFA55B7191DBB46E45CBA4

Function 0048172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00481769
_free.LIBCMT ref: 00481834
_free.LIBCMT ref: 0048183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00481760, 00481767, 00481796, 004817CE

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 3a06ff13fd11fb8cc3296c10f1b22824bd9229374a762556be8340c8de8b7a62
Instruction ID: 0fb4a1dd96e239b9546a857600dbd312625bd0a1d7c15d0a78e11ed31f87c8a6
Opcode Fuzzy Hash: 3a06ff13fd11fb8cc3296c10f1b22824bd9229374a762556be8340c8de8b7a62
Instruction Fuzzy Hash: 95318275A00218EBDB21FB9A9881D9FBBFCEF95310F1045ABF80497321D6744E46DB98

Function 004BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00521990,015657D0), ref: 004BC395

Strings

0, xrefs: 004BC2DF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 923632adbda735f2458660c7adf44e1a87e91ac3b37b641cfaea51abe48f43c9
Instruction ID: fb722bf55f832e41b9e2ee36283a0c9e4de3ac023b55fe4312288e3c6403e778
Opcode Fuzzy Hash: 923632adbda735f2458660c7adf44e1a87e91ac3b37b641cfaea51abe48f43c9
Instruction Fuzzy Hash: 58419F312043419FD720DF25D8C4B9BBBE8AB85314F04865EFCA5972D1D778A905CB6A

Function 004E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ECC08,00000000,?,?,?,?), ref: 004E44AA
GetWindowLongW.USER32 ref: 004E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E44D7

Strings

SysTreeView32, xrefs: 004E447C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d545433f41451448d049f68d78969cfb767a6ac5c823a14da744dfc07efc0779
Instruction ID: 93f3a3bd5ae080706ca5eb6d697e04d67d4e0ab656ba14b7f2ea84dffcfbf11d
Opcode Fuzzy Hash: d545433f41451448d049f68d78969cfb767a6ac5c823a14da744dfc07efc0779
Instruction Fuzzy Hash: EA31AF31200245AFDB208E39DC85BEB77A9EB48339F20472AF975922D1D778EC519754

Function 004B6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004B6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004B6F08
VariantClear.OLEAUT32(?), ref: 004B6F12

Strings

*jK, xrefs: 004B6E8B, 004B6E90, 004B6EF8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jK
API String ID: 2173805711-3028746513
Opcode ID: 941af2c5788ecb76d3e84d66bfc04e24aa75d2d161d2ba2d7e4de1a3ddee4a45
Instruction ID: ec49f886c320d6dd6fca62aae52c1b907d0a51d075693ec2e150dbbd80b06ab2
Opcode Fuzzy Hash: 941af2c5788ecb76d3e84d66bfc04e24aa75d2d161d2ba2d7e4de1a3ddee4a45
Instruction Fuzzy Hash: DB31C171704245DBCB04AFA5E8909FE3775FF44309B1104AAF8064B2A2C73C9916CBE9

Function 004D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004D3077,?,?), ref: 004D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
_wcslen.LIBCMT ref: 004D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 004D3106

Strings

255.255.255.255, xrefs: 004D3095, 004D309A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3d97110af4826a1ce0ca0e87d160dc534cc02494e364ce36fd2bca52cfab6d11
Instruction ID: c18cda244037d19329f4ed7053994d7c478a59b5f339687624df79f4f9c6094a
Opcode Fuzzy Hash: 3d97110af4826a1ce0ca0e87d160dc534cc02494e364ce36fd2bca52cfab6d11
Instruction Fuzzy Hash: 7031F539200202DFCB11CF28C595EAA77E0EF14319F24805BE9158B397C779EE46C766

Function 004E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004E471A

Strings

msctls_updown32, xrefs: 004E4684

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 84485e8790de5701b8d6cf6ae07cb336a16276cb89f6ee2401c3a72bfe57907f
Instruction ID: 8891b3ca2bbf2428691b741095714ea8b8f0b4e3ca2bb1fb8fd8f16489b0f591
Opcode Fuzzy Hash: 84485e8790de5701b8d6cf6ae07cb336a16276cb89f6ee2401c3a72bfe57907f
Instruction Fuzzy Hash: 0821A4B5600248AFDB10DF65DCC1DB737ADEF9A359B00015AFA009B351C734EC52DAA8

Function 004B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B961D

Strings

#notrayicon, xrefs: 004B95B7
#OnAutoItStartRegister, xrefs: 004B95F3
#requireadmin, xrefs: 004B95D9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 5064539e1728276a57689928f160b282181d08c99f5907f5147dc891ebfb62be
Instruction ID: b8360895cf14f1f69828dc713784d9851810ee1666a1d4a4f0fcd58b385a498a
Opcode Fuzzy Hash: 5064539e1728276a57689928f160b282181d08c99f5907f5147dc891ebfb62be
Instruction Fuzzy Hash: 9921387214411066C331AA269C02FFB73D89FA1314F24843FFB4997242EB5DAD46C2BE

Function 004E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004E3876

Strings

Listbox, xrefs: 004E380F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 40cd2c8033f37684fff2aeb7ca33bad3f382a6041162b0d067db20ff3c2c04b6
Instruction ID: 47b3242ad6ac8d22e0e53ea1f553c4aa4bf0e316f6a2cb385112c973037ae2a5
Opcode Fuzzy Hash: 40cd2c8033f37684fff2aeb7ca33bad3f382a6041162b0d067db20ff3c2c04b6
Instruction Fuzzy Hash: B52107726001587BEF129F56CC85FBB37AEEF89756F008125F9009B290C675DC52C794

Function 004C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004C4A5C
SetErrorMode.KERNEL32(00000000,?,?,004ECC08), ref: 004C4AD0

Strings

%lu, xrefs: 004C4A6F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8d688b984c08a888c94241b012db0d2d616dfa289169704cb85359101fed3191
Instruction ID: 12e05301e31500c13b0145791f7969b3953516f452707e331d66349464650420
Opcode Fuzzy Hash: 8d688b984c08a888c94241b012db0d2d616dfa289169704cb85359101fed3191
Instruction Fuzzy Hash: A3318E75A00108AFDB10DF54C985EAABBF8EF48308F1480AAF809DF252D775ED46CB65

Function 004E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004E4271

Strings

msctls_trackbar32, xrefs: 004E4226

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 67ad1949356179ebdf6968b0e7c9ecd9d8eadf9aca7be1818153c7f03a24aaf5
Instruction ID: 6377e1175b83dc12853eb0bc913200c9675138ca598bdebc0e431fe825dc3af1
Opcode Fuzzy Hash: 67ad1949356179ebdf6968b0e7c9ecd9d8eadf9aca7be1818153c7f03a24aaf5
Instruction Fuzzy Hash: 9C113A312402887EEF205F3ACC45FAB3BACEFD5B65F010125FA44E2190C275DC119714

Function 004B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

Part of subcall function 004B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004B2DC5
Part of subcall function 004B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B2DD6
Part of subcall function 004B2DA7: GetCurrentThreadId.KERNEL32 ref: 004B2DDD
Part of subcall function 004B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004B2DE4

GetFocus.USER32 ref: 004B2F78

Part of subcall function 004B2DEE: GetParent.USER32(00000000), ref: 004B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004B2FC3
EnumChildWindows.USER32(?,004B303B), ref: 004B2FEB

Strings

%s%d, xrefs: 004B2FFF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e4f51d88b61ce3c93fbd669f20b36f717373a6482a58f367a081a039c17a28dd
Instruction ID: 89e7441748b1950336ce47d6e019df134cb00b731a5082e718c70f9d74a9cc9d
Opcode Fuzzy Hash: e4f51d88b61ce3c93fbd669f20b36f717373a6482a58f367a081a039c17a28dd
Instruction Fuzzy Hash: 1D11B7716002056BDF147F728CC5EEE376AAF94309F04407AFD099B253DE78594A8B74

Function 004E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004E58EE
DrawMenuBar.USER32(?), ref: 004E58FD

Strings

0, xrefs: 004E588F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 7183b0fc123a69d2d57511ba0d8683e2a1ab669008150f3616d4116051d6beef
Instruction ID: c5a0b70e32c13e64adb58e072dabd99691e898e8ae38c094a3bdf35c487bf04f
Opcode Fuzzy Hash: 7183b0fc123a69d2d57511ba0d8683e2a1ab669008150f3616d4116051d6beef
Instruction Fuzzy Hash: 8001A171500258EFDB109F12DC84BEFBBB4FB45369F0080AAE848DA252DB348A85DF25

Function 004AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004AD3BF
FreeLibrary.KERNEL32 ref: 004AD3E5

Strings

X64, xrefs: 004AD2A8
GetSystemWow64DirectoryW, xrefs: 004AD3B9

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: fa8d4e6e908b8d40ed6437898732dff4e8e5a1f8ad5fff5d8df2b470047aab5c
Instruction ID: ec9e00b7bca41079d5936d293f135289f3c8a3bce73338aa0b13a84080458f79
Opcode Fuzzy Hash: fa8d4e6e908b8d40ed6437898732dff4e8e5a1f8ad5fff5d8df2b470047aab5c
Instruction Fuzzy Hash: 84F02722C01A2187D72142105CD4B9A7220BF32701B548197E803E5609E71CCC46C6CF

Function 004B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69822b61fe5a4c332058f521aefe0a95c387b74d2f0858ddb121088c5075d2bb
Instruction ID: db4366a3721292a3dc09a66d3fb9b9faa28493bd8611348459f99037ebfe38f2
Opcode Fuzzy Hash: 69822b61fe5a4c332058f521aefe0a95c387b74d2f0858ddb121088c5075d2bb
Instruction Fuzzy Hash: C5C15D75A00206EFDB18CFA8C898AAFB7B5FF48305F108599E905EB251D735DD42CBA4

Function 004D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004D3459
CoUninitialize.OLE32 ref: 004D3463
VariantInit.OLEAUT32(?), ref: 004D346E
VariantClear.OLEAUT32(?), ref: 004D371B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: bb57a9b6e6fa6cc09c53c59effce5c2a4ffb8ebb7b598fca807f608497aba02a
Instruction ID: 0e02a377e836e953ef9fdf55e33a8384c10d9247218eeff7547be16bfd7c82c8
Opcode Fuzzy Hash: bb57a9b6e6fa6cc09c53c59effce5c2a4ffb8ebb7b598fca807f608497aba02a
Instruction Fuzzy Hash: B5A15A75204200AFC710DF25C495A2AB7E5FF88759F04885EF98A9B362DB38ED05CB5A

Function 004B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B0608
CLSIDFromProgID.OLE32(?,?,00000000,004ECC40,000000FF,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B062D
_memcmp.LIBVCRUNTIME ref: 004B064E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c4a1c36d0209b157820926256928213e5f392ef937c3786abd746dcde4ae2263
Instruction ID: fd97021d00e2fa7e763c0c8fa595ddcdb2c1be5d29e0e0358cc2e4858bf34c29
Opcode Fuzzy Hash: c4a1c36d0209b157820926256928213e5f392ef937c3786abd746dcde4ae2263
Instruction Fuzzy Hash: 0A810B71A00109EFCB04DF98C984EEFB7B9FF89316F204559E506AB250DB75AE06CB64

Function 00491391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004914C0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 435bf34ee4b5ad4d7bb9a7220250f7f7e8c0f7ec5f138ae6f6b184e7f7634b53
Instruction ID: 48452378026a5595d677acf3399e29e1fd44bd449a9ae078e2a7f34c3aedec28
Opcode Fuzzy Hash: 435bf34ee4b5ad4d7bb9a7220250f7f7e8c0f7ec5f138ae6f6b184e7f7634b53
Instruction Fuzzy Hash: 8E415D316005026BDF257BBA8C45ABF3EA4EF45374F25467BF818D62E2E63C8841476A

Function 004E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004E62E2
ScreenToClient.USER32(?,?), ref: 004E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004E6382

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0559e773343f1a471a435889fbff181453fe66c344511267ac58b587fc0252fa
Instruction ID: 38cdf049e784638b9de53d0c30d31f4d348d09d729f78f829ddecc98f3dbce5e
Opcode Fuzzy Hash: 0559e773343f1a471a435889fbff181453fe66c344511267ac58b587fc0252fa
Instruction Fuzzy Hash: FA516B70900289AFCB20DF69D8809AF7BB6EF653A1F11816AF9149B391D734AD81CB54

Function 004D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004D1AFD
WSAGetLastError.WSOCK32 ref: 004D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004D1B8A
WSAGetLastError.WSOCK32 ref: 004D1B94

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 685e2af9d22751a59b6cb1c82661e5bdabd8d2a11deadbbbfc5912a24a2ad8ee
Instruction ID: 412f06c7d83aed2058937d59c423a1c3d1517743b77c7552dd66c29ca2fb8e65
Opcode Fuzzy Hash: 685e2af9d22751a59b6cb1c82661e5bdabd8d2a11deadbbbfc5912a24a2ad8ee
Instruction Fuzzy Hash: 6F41B134600200AFE720AF25C886F2677E5AB44718F54845EF91A9F3D3E77AED42CB95

Function 0048B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed258d06f50d9e07c15b1d437aeeccd1454d3325bca08c032cf8e5b517981985
Instruction ID: 00e38616e1adeec14fe624730151d43343bf5c7e19d56514125b9167d4ee6f65
Opcode Fuzzy Hash: ed258d06f50d9e07c15b1d437aeeccd1454d3325bca08c032cf8e5b517981985
Instruction Fuzzy Hash: 0041F871900604BFD724AF39C842B6EBBA9EB84B14F10892FF545DB292D379990187D4

Function 004C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004C5783
GetLastError.KERNEL32(?,00000000), ref: 004C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004C57FA

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4ad0386d0e445e501f0b3f0be576009c1408e5d5341982b1f7a23b52cf9e823c
Instruction ID: e7bd91e719ee6d852d063227f20b00194c96e6d7e36dcd510b82fd574fbfaa82
Opcode Fuzzy Hash: 4ad0386d0e445e501f0b3f0be576009c1408e5d5341982b1f7a23b52cf9e823c
Instruction Fuzzy Hash: D6415E39600610DFCB10EF15C484A1EBBE1EF88329B18849DEC4A5B362DB38FD45CB95

Function 0048D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00476D71,00000000,00000000,004782D9,?,004782D9,?,00000001,00476D71,?,00000001,004782D9,004782D9), ref: 0048D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0048D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0048D9AB
__freea.LIBCMT ref: 0048D9B4

Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2b7dd28b92642dae97648f86e97bcd1b6bf354a7b4fbbc464e2736eaa8b7a92d
Instruction ID: 12d8c6ada76d39fd9c4810e49d2a797e7f899510cc813abc5593ba42d710eb17
Opcode Fuzzy Hash: 2b7dd28b92642dae97648f86e97bcd1b6bf354a7b4fbbc464e2736eaa8b7a92d
Instruction Fuzzy Hash: 1631E0B2A0121AABDF24AF65DC81EAF7BA5EF40310F05456AFC08D6291E739CD51CB94

Function 004E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004E5352
GetWindowLongW.USER32(?,000000F0), ref: 004E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004E53A8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8095d614f596a34306f5697a97d46140da2bd777fd1beab146560344df368a58
Instruction ID: 7c517c26676c22204f21b1d7a2c69bc2698b8159658f02caabddd51fa4201406
Opcode Fuzzy Hash: 8095d614f596a34306f5697a97d46140da2bd777fd1beab146560344df368a58
Instruction Fuzzy Hash: 0D310734A55A88EFEB309F16CC45BEA3761AB0539AF584103FE10963E1C3B89D41974A

Function 004BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004BACC6

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0c6142be0d503b4e9424dd4d35607ad1ebae04c1dab2cea42c4bd32da8ccdb1c
Instruction ID: c145cdc8335687f2bfc9744f0635399d3fe2056a0b7e0f747120402f50d767ba
Opcode Fuzzy Hash: 0c6142be0d503b4e9424dd4d35607ad1ebae04c1dab2cea42c4bd32da8ccdb1c
Instruction Fuzzy Hash: 39311630A002586FEF35CB6988497FB7FB5AB85310F04421BE481562D6D37C89A187BA

Function 004E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004E769A
GetWindowRect.USER32(?,?), ref: 004E7710
PtInRect.USER32(?,?,004E8B89), ref: 004E7720
MessageBeep.USER32(00000000), ref: 004E778C

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cbf303a2bca483ee8ebe63f1f9292eb52de71c98929a5e59502cd51f2ac37d8c
Instruction ID: fc9e56addd63322b1f66ec3f5ae1c07b64b5d2097b1b62875c9e025b91dacf9a
Opcode Fuzzy Hash: cbf303a2bca483ee8ebe63f1f9292eb52de71c98929a5e59502cd51f2ac37d8c
Instruction Fuzzy Hash: 0D41B034A05294DFDB11CF5AC884EAA77F0FF59325F1440AAE4149B361C338B982CF94

Function 004E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004E16EB

Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65

GetCaretPos.USER32(?), ref: 004E16FF
ClientToScreen.USER32(00000000,?), ref: 004E174C
GetForegroundWindow.USER32 ref: 004E1752

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 00a5c1e5fc5110974ae8ebe3171db7b233985a4e499e35c1c7496475ed067437
Instruction ID: f093c4be3d833c80f355f368b3b02eec9ab300919d6fc813fcee77381ca7a653
Opcode Fuzzy Hash: 00a5c1e5fc5110974ae8ebe3171db7b233985a4e499e35c1c7496475ed067437
Instruction Fuzzy Hash: C5313075D00249AFC700EFAAC8C1CAEB7F9EF48308B5080AEE415E7252D7359E45CBA4

Function 004BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004BD501
Process32FirstW.KERNEL32(00000000,?), ref: 004BD50F
Process32NextW.KERNEL32(00000000,?), ref: 004BD52F
CloseHandle.KERNEL32(00000000), ref: 004BD5DC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0744f795b3e637dfc7a0d6d4d8270b99f678a19939e8394e6df3aef1396dc352
Instruction ID: 93f92e1ae2a9eb982ea55e643881c02f52753d6682b951475fd64041aac6e0cd
Opcode Fuzzy Hash: 0744f795b3e637dfc7a0d6d4d8270b99f678a19939e8394e6df3aef1396dc352
Instruction Fuzzy Hash: 3F31DB71108340AFD310EF54C881AAFBBF8EF95344F14096EF981871A2EB759949CBA7

Function 004E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

GetCursorPos.USER32(?), ref: 004E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004A7711,?,?,?,?,?), ref: 004E9016
GetCursorPos.USER32(?), ref: 004E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004A7711,?,?,?), ref: 004E9094

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 321a0618f43dc896e73cc8b3d625f2994805418aaf60174f94e314ccb26e766f
Instruction ID: e18bf523a6b58cfba39c1f37bd6a1aa66f4e46de80e70e305ca68edfa3f0b32f
Opcode Fuzzy Hash: 321a0618f43dc896e73cc8b3d625f2994805418aaf60174f94e314ccb26e766f
Instruction Fuzzy Hash: F921B171600158FFCB258F96C898EEB3BB9FF4A351F44406AF5054B2A1C3359E91DB64

Function 004BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ECB68), ref: 004BD2FB
GetLastError.KERNEL32 ref: 004BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ECB68), ref: 004BD376

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1226d4351b34626a0417617acca6c2100405d21f7a307a9d5b13df89fc1a8fda
Instruction ID: bc13bf1c82db40769c099e1086c7131a6c7f66aeaf6cf13a93a22d9ff15a1035
Opcode Fuzzy Hash: 1226d4351b34626a0417617acca6c2100405d21f7a307a9d5b13df89fc1a8fda
Instruction Fuzzy Hash: 432182709042019F8700DF25C8814AB77E4AF55359F105A5EF895C72A3E739994ACBAB

Function 004B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B102A
Part of subcall function 004B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B1036
Part of subcall function 004B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1045
Part of subcall function 004B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B104C
Part of subcall function 004B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004B15BE
_memcmp.LIBVCRUNTIME ref: 004B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B1617
HeapFree.KERNEL32(00000000), ref: 004B161E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 32eecaadf14215df19102c0ed1dfbb261641bf60d1780ffd9a0777536df2fc90
Instruction ID: 2bf09c66886cda5952258cb190e163d447c5bce1d63a72f8daf649dc5ab1107d
Opcode Fuzzy Hash: 32eecaadf14215df19102c0ed1dfbb261641bf60d1780ffd9a0777536df2fc90
Instruction Fuzzy Hash: 4021AF31E40108EFDF10DFA4C995BEFB7B8EF45344F48445AE441AB261E738AA15CBA4

Function 004E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004E2840

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 080e693e1c80764d6f2c00212819a83498bf35ef35726613cba74f9da0dad628
Instruction ID: 59cfdebf3af08a6248b45ab045d5e73b82cd81f6bb9da0c23319769485bf1d58
Opcode Fuzzy Hash: 080e693e1c80764d6f2c00212819a83498bf35ef35726613cba74f9da0dad628
Instruction Fuzzy Hash: E9210231204190AFD7149B26C981F6A7799BF45329F14821EF8168B2D2C7B9EC42C798

Function 004B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?), ref: 004B8D8C
Part of subcall function 004B8D7D: lstrcpyW.KERNEL32(00000000,?,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B8DB2
Part of subcall function 004B8D7D: lstrcmpiW.KERNEL32(00000000,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?), ref: 004B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7923
lstrcpyW.KERNEL32(00000000,?,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7984

Strings

cdecl, xrefs: 004B797B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 76090ef1ba6813e6723b51d1caf0343c6c2bc7fa450f93f9f1b8d70dd4852d42
Instruction ID: a1cea070d120d29135133ffd011a5952d4b8ec257edfd5ae9b5b557048d0e12d
Opcode Fuzzy Hash: 76090ef1ba6813e6723b51d1caf0343c6c2bc7fa450f93f9f1b8d70dd4852d42
Instruction Fuzzy Hash: 5611037A200242ABDB159F35D884DBB77A9FF85354B00402FF842CB3A5EB359812C7A9

Function 004E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004CB7AD,00000000), ref: 004E7D6B

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d5091671c71d20b66ebd5defcf4f447c423ef3408a23878de1d561d72c846b03
Instruction ID: cc4f4b426c77fdf6e4a2c8374397f8e9c5642f206487057dd91f548b5ff6cef5
Opcode Fuzzy Hash: d5091671c71d20b66ebd5defcf4f447c423ef3408a23878de1d561d72c846b03
Instruction Fuzzy Hash: 0011AC312046A4AFCB108F29CC44EB73BA8AF46371B254725F839CB2E0E7349D52DB48

Function 004E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004E56BB
_wcslen.LIBCMT ref: 004E56CD
_wcslen.LIBCMT ref: 004E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004E5816

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 320473dc93ead814340276fb20d7edbfa693ee7977cfbf72c7c457bd25007911
Instruction ID: a78b98e8cca47664997c1eaeaa9f279dd8106963448078d3fedc0c8c4769bae7
Opcode Fuzzy Hash: 320473dc93ead814340276fb20d7edbfa693ee7977cfbf72c7c457bd25007911
Instruction Fuzzy Hash: BB11E47160068996DB20DF738CC1AEF376CEF1136AF10402BF909D6182E7788981CB69

Function 00481D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6655f37a06feb15c0d4627a183d578bc06a6ee2d6bfb386ca4779031fb614f04
Instruction ID: cf20ed82b7cc58e3cdabcf21f8628a518aa8b44bd59a7b96e22988f4d951ce20
Opcode Fuzzy Hash: 6655f37a06feb15c0d4627a183d578bc06a6ee2d6bfb386ca4779031fb614f04
Instruction Fuzzy Hash: 2301A7F22056167EF61136796CC0F2F669CDF413B8B310F2BF521512E2DB68AC025368

Function 004B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A8A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1851b105f1d5ae9eed09751e993ad4dc273d901bac0b452b99db3a141348027f
Instruction ID: 4b8717ae50172eea31565bd144b120316c02bf9c87f22a5d259deaaf300c73ca
Opcode Fuzzy Hash: 1851b105f1d5ae9eed09751e993ad4dc273d901bac0b452b99db3a141348027f
Instruction Fuzzy Hash: A3112E35901219FFDB109BA5C985FDDBB78EB08750F200092E500B7290D6716E51DB94

Function 004BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004BE24D

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bd7381f89b6b44161dc8d9a742a2e4f7897e2c454c98ecc519d1e0e1f546fc27
Instruction ID: 97ed85c0328d63fa6665508a56f7fda75f4418c74159818cec675aaf62d1993a
Opcode Fuzzy Hash: bd7381f89b6b44161dc8d9a742a2e4f7897e2c454c98ecc519d1e0e1f546fc27
Instruction Fuzzy Hash: 91114872D04244BFC710DBA89C85ADF7FAD9F91310F10466AF825E3281C274CD0587B8

Function 0047D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0047CFF9,00000000,00000004,00000000), ref: 0047D218
GetLastError.KERNEL32 ref: 0047D224
__dosmaperr.LIBCMT ref: 0047D22B
ResumeThread.KERNEL32(00000000), ref: 0047D249

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 569851549bc1e13561f97ec24ada887cc60aa593136bb05be1d79a1869c72188
Instruction ID: ee5298803dec51fd23bf9caa63b40e46c81c402a1c0cd74933a10c39bc6f38bf
Opcode Fuzzy Hash: 569851549bc1e13561f97ec24ada887cc60aa593136bb05be1d79a1869c72188
Instruction Fuzzy Hash: 86010436C142047BC7105BA6DC45BEB7A78DF81334F20826AF828961D2CB75890286A9

Function 004E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2

GetClientRect.USER32(?,?), ref: 004E9F31
GetCursorPos.USER32(?), ref: 004E9F3B
ScreenToClient.USER32(?,?), ref: 004E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004E9F7A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: dc265d9f2c3376fb92e6bb40537e7738a2ddb6c4d99024f79f3bfa227a86186f
Instruction ID: 6743c85929e0eb56c3d9da44b6797ac6c13c9c1e1fb1573c171013ea5c148c47
Opcode Fuzzy Hash: dc265d9f2c3376fb92e6bb40537e7738a2ddb6c4d99024f79f3bfa227a86186f
Instruction Fuzzy Hash: FA114C7290025ABBDB10DF6AD8859EE77B8FF05316F000456F911E7182D334BE82CBA9

Function 0045600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
GetStockObject.GDI32(00000011), ref: 00456060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9f8eea33ecfb911185c22eb3281dd1ea5984e9edd02daf0aa2ec20e9e025132c
Instruction ID: 360131ae62e2d063fb6da4a791987e65d0f33279270cfab42ce3222070c1cf5b
Opcode Fuzzy Hash: 9f8eea33ecfb911185c22eb3281dd1ea5984e9edd02daf0aa2ec20e9e025132c
Instruction Fuzzy Hash: B711E172101548BFEF128FA4CC84EEBBB69EF08765F010212FE0446151C7369C61DBA4

Function 00473B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00473B56

Part of subcall function 00473AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00473AD2
Part of subcall function 00473AA3: ___AdjustPointer.LIBCMT ref: 00473AED

_UnwindNestedFrames.LIBCMT ref: 00473B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00473B7C
CallCatchBlock.LIBVCRUNTIME ref: 00473BA4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e0574aa8a036dac22fde9080fcec40b867265ff2d6fa46750e12262661ebdf6e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D5014032100148BBDF115E96CC46DEB3F6DEF88759F04801AFE5C66121C73AE961EBA5

Function 00483073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004513C6,00000000,00000000,?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue), ref: 004830A5
GetLastError.KERNEL32(?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue,004F2290,FlsSetValue,00000000,00000364,?,00482E46), ref: 004830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue,004F2290,FlsSetValue,00000000), ref: 004830BF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a8f850bc5ebc772b43a96bff6918faf0979db1e1f9189f23af52bcefe77bde42
Instruction ID: 543792cef7bdbe3c9d1f09807dcdf2502aa9d7399a163f086fbc3419a4b118dd
Opcode Fuzzy Hash: a8f850bc5ebc772b43a96bff6918faf0979db1e1f9189f23af52bcefe77bde42
Instruction Fuzzy Hash: 4301D832742222ABC7315EB99C8496B77989F06F62B100A21F905D7245C725D902C7E8

Function 004B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004B74CA

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 960c66e8970f2333e25090e4e93be5df6cbfaf6f3ae0e3c675dd85d9e1e2c5cf
Instruction ID: dbdca9c7881d55e3aee1d9ebebd17cae65b5ea044d0d66b431f499aa24f286ba
Opcode Fuzzy Hash: 960c66e8970f2333e25090e4e93be5df6cbfaf6f3ae0e3c675dd85d9e1e2c5cf
Instruction Fuzzy Hash: 3011C4B1205314AFE7208F14DD48FE27FFCEB40B01F10896AE656DA192D774E905DBA5

Function 004BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB126

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d9958f14e8f1058ec96f5bc4c4041f2ea633ba58ebbcc768e7e679d9fc5cc2f5
Instruction ID: 2fb12fdd3dbdfe98d3ccbfa362a86e14c4e0554b3f9b163ecfcaee952da24e91
Opcode Fuzzy Hash: d9958f14e8f1058ec96f5bc4c4041f2ea633ba58ebbcc768e7e679d9fc5cc2f5
Instruction Fuzzy Hash: D1116131C0151CE7CF10AFE9D9986FEBB78FF0A751F104096D941B6241CBB45551CBA9

Function 004E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004E7E33
ScreenToClient.USER32(?,?), ref: 004E7E4B
ScreenToClient.USER32(?,?), ref: 004E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7E8A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: cbdd24ce65a61fd8685fbbef1872be4a9fdb0f5ce964bc6e97b49c5019377c62
Instruction ID: b4a90c2d34e279e6fc67891a413cb210d1246eb0fc7e2b9819e168b07335bbe5
Opcode Fuzzy Hash: cbdd24ce65a61fd8685fbbef1872be4a9fdb0f5ce964bc6e97b49c5019377c62
Instruction Fuzzy Hash: 511186B9D0024AAFDB41CFA8D8849EEBBF5FF08310F104066E911E3211D734AA55CF54

Function 004B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004B2DD6
GetCurrentThreadId.KERNEL32 ref: 004B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004B2DE4

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f2fbab0f59a5141b2cfa3d5b38de67a537a3707c284c301160e8c2cf3d05b9ad
Instruction ID: 1e80ceb743985be7716bd6be0c86010ef8f282316ff1a7d2b37f6897455658f1
Opcode Fuzzy Hash: f2fbab0f59a5141b2cfa3d5b38de67a537a3707c284c301160e8c2cf3d05b9ad
Instruction Fuzzy Hash: B8E09272141224BBDB201B729C8DFEB7E6CEF42BA1F00042AF105D50819AE4C842D6B5

Function 004E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00469639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696A2
Part of subcall function 00469639: BeginPath.GDI32(?), ref: 004696B9
Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004E8887
LineTo.GDI32(?,?,?), ref: 004E8894
EndPath.GDI32(?), ref: 004E88A4
StrokePath.GDI32(?), ref: 004E88B2

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 378ef76bc7d256528b2a207eda0ae94d7c2be78d724bcc70783f1669b281069c
Instruction ID: ee21b07fa9613a2a3193b12e18644cfdf648be6ed4006721b583dba1a462986d
Opcode Fuzzy Hash: 378ef76bc7d256528b2a207eda0ae94d7c2be78d724bcc70783f1669b281069c
Instruction Fuzzy Hash: 80F09A36001298FADF122F94AC49FCA3B19AF16310F008011FE01690E2C7B81552DFAD

Function 004698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004698CC
SetTextColor.GDI32(?,?), ref: 004698D6
SetBkMode.GDI32(?,00000001), ref: 004698E9
GetStockObject.GDI32(00000005), ref: 004698F1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dadbf80e261d5b62f94c8810c0939905c326115c0289329d942f97c0ef55c7b6
Instruction ID: e33603a4d55b663528bf754fae2a312cc06a50e9aab07d1e153b54852d877060
Opcode Fuzzy Hash: dadbf80e261d5b62f94c8810c0939905c326115c0289329d942f97c0ef55c7b6
Instruction Fuzzy Hash: 96E06D31244680BADB215B78EC89BE97F20EB22336F04832AF6FA581E2C37546419F15

Function 004B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004B11D9), ref: 004B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004B11D9), ref: 004B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004B11D9), ref: 004B164F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f3f132698345402964f257018a71999227e2830ceae5fd839c773d778bd1aaee
Instruction ID: 11e28d4170dd770529579ab63edf3af55017f0cb8c13355b0cbdffcadd610865
Opcode Fuzzy Hash: f3f132698345402964f257018a71999227e2830ceae5fd839c773d778bd1aaee
Instruction Fuzzy Hash: 9DE08631A01211DBD7201FE49D8DB973B7CAF54791F144829F646CD091D7384442C7A8

Function 004AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004AD858
GetDC.USER32(00000000), ref: 004AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004AD882
ReleaseDC.USER32(?), ref: 004AD8A3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1dc4bdeb2b46953f85ab8ca449c5a2b39e41431561fb9d9105ec4fbd956e57b4
Instruction ID: 833643ddd91d2c3440817605cd80a29e743cd0515d4c7a17ecc4439618ae711a
Opcode Fuzzy Hash: 1dc4bdeb2b46953f85ab8ca449c5a2b39e41431561fb9d9105ec4fbd956e57b4
Instruction Fuzzy Hash: A8E01AB5C00204DFCF41AFB5D88866EBBB2FB48311F10842AE816EB251C7384903AF49

Function 004AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004AD86C
GetDC.USER32(00000000), ref: 004AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004AD882
ReleaseDC.USER32(?), ref: 004AD8A3

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2134b0a8563bbcb2061a9f8dcc365907cc5cfd288bc8a14c29b2a63eebbc2385
Instruction ID: 70ce21e2603f8b1f4f9a9bbdb90b6bc4c78326b6acba48628e33c80385491ba4
Opcode Fuzzy Hash: 2134b0a8563bbcb2061a9f8dcc365907cc5cfd288bc8a14c29b2a63eebbc2385
Instruction Fuzzy Hash: E1E01A75C00200DFCF409FB4D88866EBBB1BB48311B108419E816EB251C73859039F48

Function 004C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004C4ED4

Strings

*, xrefs: 004C4E10
LPT, xrefs: 004C4DFB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 09a02ed05ec16e7e090fc7af2b26a7c67334f999f44453bab744febc03c7fa59
Instruction ID: cf3ef47fcc9fc65c8681dbbde936754a16444b6a29ed661bf1a88c54ae03bd09
Opcode Fuzzy Hash: 09a02ed05ec16e7e090fc7af2b26a7c67334f999f44453bab744febc03c7fa59
Instruction Fuzzy Hash: 75918F78A002049FCB54DF54C594FAABBF1AF84308F15809EE84A9F362D739ED85CB55

Function 0047E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0047E30D

Strings

pow, xrefs: 0047E2E5, 0047E302

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 170238ad0246a192f8bf3404401e95c98d8e3681746b85b856b4688777423c9d
Instruction ID: b861eac9d544f15d79f75c96617b55086cbfe051e33ca76e62529099d8edf46f
Opcode Fuzzy Hash: 170238ad0246a192f8bf3404401e95c98d8e3681746b85b856b4688777423c9d
Instruction Fuzzy Hash: 80512861A0C20296CB117715C9513BF3BA4AB54740F34CEEBE499433A9EB3DCC959B4E

Function 004D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(004A569E,00000000,?,004ECC08,?,00000000,00000000), ref: 004D78DD

Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A

CharUpperBuffW.USER32(004A569E,00000000,?,004ECC08,00000000,?,00000000,00000000), ref: 004D783B

Strings

<sQ, xrefs: 004D77C8

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sQ
API String ID: 3544283678-3394145969
Opcode ID: dcef002c93108536dc31f00e5637a1d06a95cc9ffae1b3070b6d8cadf8fc8e0f
Instruction ID: 4c4cebb46a192e4c881125613387f7c82477d31ce4087dfe623d253fe085399e
Opcode Fuzzy Hash: dcef002c93108536dc31f00e5637a1d06a95cc9ffae1b3070b6d8cadf8fc8e0f
Instruction Fuzzy Hash: FB6164729141189ACF04FBA5CCA1DFDB374BF14305B44052BF942A7252FB385A49DBA8

Function 0046E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0046E1B1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d5263504d125c748072b75a42ccf55871000cfb9a369bbc816be1d01a3eb59a9
Instruction ID: f74c97f5cae78128e829dfa863d4f72036b9993a6b8597bf4e1d33d48fae149e
Opcode Fuzzy Hash: d5263504d125c748072b75a42ccf55871000cfb9a369bbc816be1d01a3eb59a9
Instruction Fuzzy Hash: 58513279500246DFDB14DF2AC0916BB7BA5EF66310F24405BE8619B280E6389D43CBAA

Function 0046F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0046F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0046F2BB

Strings

@, xrefs: 0046F2AF

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3ae79e5a7c0d64c27c5c4d36af54f6baaed46d1335aaafb611ec759e627e5e45
Instruction ID: 6139f23c25b47c9200ec9f2bc8a7a00efb73d64b92fed30b1c0a2c6a63bf8401
Opcode Fuzzy Hash: 3ae79e5a7c0d64c27c5c4d36af54f6baaed46d1335aaafb611ec759e627e5e45
Instruction Fuzzy Hash: 995136724087449BD320AF11EC86BAFBBE8FB94305F81885DF5D941196EB34852DCB6B

Function 004D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004D57E0
_wcslen.LIBCMT ref: 004D57EC

Strings

CALLARGARRAY, xrefs: 004D57E6, 004D57EB

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5db989490f51c8a9ca4b6b3482bb8edf4ae510b8432945f6b7be39014de46e44
Instruction ID: a84d8209a97edb506577d44b1a122c5a74cbc9280d1ac266c95df22a937a2f74
Opcode Fuzzy Hash: 5db989490f51c8a9ca4b6b3482bb8edf4ae510b8432945f6b7be39014de46e44
Instruction Fuzzy Hash: 2F418271A002059FCB14EFAAC8918BEBBB5EF59355F10406FF505A7352EB389D41CB94

Function 004CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004CD13A

Strings

|, xrefs: 004CD10B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0dfd42092d39c1abad762498e3729f3beaa7c3e90a4a83f8171e8cf6844b405a
Instruction ID: 7f07fc2c5692ec9fe3b699108b3a6779b8d7a20ebef899cacb32e2886b026ef6
Opcode Fuzzy Hash: 0dfd42092d39c1abad762498e3729f3beaa7c3e90a4a83f8171e8cf6844b405a
Instruction Fuzzy Hash: 94310975D01109ABCF55EFA5CC85EEE7FB9FF04304F00002AF815A6262DB35AA56CB54

Function 004E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004E365C

Strings

static, xrefs: 004E35BC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e80fdc0dbe0d155cf1fed3ce0d470ab0bbe9171b9ab76f2b56450bb9abef132d
Instruction ID: 24ff72fc51d52b03ba12a98dfe8ca6691fa325403ffb5818a94d1b4e86c16991
Opcode Fuzzy Hash: e80fdc0dbe0d155cf1fed3ce0d470ab0bbe9171b9ab76f2b56450bb9abef132d
Instruction Fuzzy Hash: BA31B271100244AEDB21DF35DC84EFB73A9FF48725F00861EF8A597280DA35AD82D768

Function 004E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004E4634

Strings

', xrefs: 004E458E

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 546a3f379f0ca87221d4c9c6f021a0afbb34ef6f993662c6ea33077b45a8e385
Instruction ID: cd9477c96167999a5bd76a761612bb940236f5074f615dd7f2f99ac8497985e8
Opcode Fuzzy Hash: 546a3f379f0ca87221d4c9c6f021a0afbb34ef6f993662c6ea33077b45a8e385
Instruction Fuzzy Hash: C5314C74A01349AFDF14CFAAC980BDA7BB5FF49301F10406AEA04AB381D774A941CF94

Function 004E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E3287

Strings

Combobox, xrefs: 004E3249

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 36c27ab85d3569fe561aff6dc575901ed25026bd3286a81c63f8ddeec30a928c
Instruction ID: a46b383d293c67e69513c5ec66ab1688d11ebc431547063f34165b79645f20bf
Opcode Fuzzy Hash: 36c27ab85d3569fe561aff6dc575901ed25026bd3286a81c63f8ddeec30a928c
Instruction Fuzzy Hash: 4411E6713001487FFF229F55DC84EBB376AEB54366F10012AFA5897290D6359D518764

Function 004E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0045600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
Part of subcall function 0045600E: GetStockObject.GDI32(00000011), ref: 00456060
Part of subcall function 0045600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A

GetWindowRect.USER32(00000000,?), ref: 004E377A
GetSysColor.USER32(00000012), ref: 004E3794

Strings

static, xrefs: 004E3757

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f09522650518507d1e6437d1f5083824de871bbf4720be1d3a34fe6383359cb2
Instruction ID: 9fa05ab590097ea4b918bd90235da20adeaf7946fb96a1f759c03804f3f15599
Opcode Fuzzy Hash: f09522650518507d1e6437d1f5083824de871bbf4720be1d3a34fe6383359cb2
Instruction Fuzzy Hash: 2A1159B2610249AFDF11DFA9CC89AEA7BB8EF08316F004529F955E3250D738E8119B54

Function 004CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004CCDA6

Strings

<local>, xrefs: 004CCD66

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0d0552717a97d374c17d9b10ab64a341f36e1f0047a3ecda7eebbc2ec0d5bc2f
Instruction ID: dfa650092118dd3417c6b59a7c2ffdc41c58509fc64ada534353d31503308ba7
Opcode Fuzzy Hash: 0d0552717a97d374c17d9b10ab64a341f36e1f0047a3ecda7eebbc2ec0d5bc2f
Instruction Fuzzy Hash: 0611E379641632BAD7644A668CC4FE3BE6CEB127A4F00423BF10E82180D2789841D6F4

Function 004E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004E34BA

Strings

edit, xrefs: 004E348F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: da5994e0c4b54a73d49775e344530356c06b4471847479d378cba5c824fd42ef
Instruction ID: 9921c99c2b5ca71a0d2d6dc4d9d4c516ea5aaefb61abf69623c1f954b0fbbc37
Opcode Fuzzy Hash: da5994e0c4b54a73d49775e344530356c06b4471847479d378cba5c824fd42ef
Instruction Fuzzy Hash: 3D110471100144AFEF124E66DC88AFB3769EF0137AF504725F960932D0C339DC529B58

Function 004B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

CharUpperBuffW.USER32(?,?,?), ref: 004B6CB6
_wcslen.LIBCMT ref: 004B6CC2

Strings

STOP, xrefs: 004B6CBC, 004B6CC1

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 18c364c64d944e5faf4e5604b46869418c68ff820a6af00dd787db2a1ac7ce22
Instruction ID: 3fec68cd690104392de220f6b97ca9703b5b4803d5cc833d8fcbcfb6412c6cc9
Opcode Fuzzy Hash: 18c364c64d944e5faf4e5604b46869418c68ff820a6af00dd787db2a1ac7ce22
Instruction Fuzzy Hash: 0E012B326005268BCB10AFBDDC918FF37B9FB60714702093AE85297291EB3DDC05C668

Function 004B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004B1D4C

Strings

ComboBox, xrefs: 004B1CEB
ListBox, xrefs: 004B1D16

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a25e35f5f31ddb97d0d56cec67f3109e2730eb41402b864919faab4bcdaf4608
Instruction ID: 2c2c628a85a6a6c35178362cda12e8d2e2ccf35143f45745d5cba8f2d0cd6a26
Opcode Fuzzy Hash: a25e35f5f31ddb97d0d56cec67f3109e2730eb41402b864919faab4bcdaf4608
Instruction Fuzzy Hash: 6901B575601214AB8B04EBA5CC618FF7769FB46354B54091FA822573D2EA38690D8674

Function 004B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004B1C46

Strings

ComboBox, xrefs: 004B1BE5
ListBox, xrefs: 004B1C10

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea2755be56226647761ef0ffde7f35b419863696f9b73c4e0f4299769c60d428
Instruction ID: 5e6f144e54f59b4e1b7312e0c196bacf72df7ef72bfcb671b96644f72edf2281
Opcode Fuzzy Hash: ea2755be56226647761ef0ffde7f35b419863696f9b73c4e0f4299769c60d428
Instruction Fuzzy Hash: 6201F775680104A6CB04EBA1C9629FF7BB89B11340F50001FA80767293EA389E0D86B9

Function 004B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004B1CC8

Strings

ComboBox, xrefs: 004B1C69
ListBox, xrefs: 004B1C94

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2225fb56fbfb976f0906bb17c9dc6b2f0b3d47a1f994000ea40ebfb7411e9cf8
Instruction ID: ecdd77702d7f3632c29d21fb4352d4c29c07581fd56c3f9f7b6d820df1e796ca
Opcode Fuzzy Hash: 2225fb56fbfb976f0906bb17c9dc6b2f0b3d47a1f994000ea40ebfb7411e9cf8
Instruction Fuzzy Hash: 6C01DB75640114A7DB05EBA5CA51AFF7BB89B11385F94001BBC0273292EA389F0DD679

Function 0046A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0046A529

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Strings

,%R, xrefs: 0046A509
3yJ, xrefs: 0046A545, 0046A54D, 0046A552

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%R$3yJ
API String ID: 2551934079-3779759401
Opcode ID: 7697c8e97a22bba2d3f5897695540d93a4ebb2eab32059b14e335230bbefe289
Instruction ID: 0c8725c89aac2614a5c2edc634a262ee46b1493f2f26b583306bdde19cc7f3d4
Opcode Fuzzy Hash: 7697c8e97a22bba2d3f5897695540d93a4ebb2eab32059b14e335230bbefe289
Instruction Fuzzy Hash: 0401D431701A10E7CA10F769EC57A9D37549B45715F50406FF5062B2C3FE586D068E9F

Function 004B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD

Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004B1DD3

Strings

ComboBox, xrefs: 004B1D75
ListBox, xrefs: 004B1DA0

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 36015f78e7a46604ddfb2db028607aa11af7cecea1114d1d766d191f021d2b0f
Instruction ID: 3d7705387acb0f84399e6c9e7ed5eed192557b4ac50df6499db27c582b5cee05
Opcode Fuzzy Hash: 36015f78e7a46604ddfb2db028607aa11af7cecea1114d1d766d191f021d2b0f
Instruction Fuzzy Hash: E9F0F971A50214A6D704F7A5CC51AFF777CAB01344F84091FB822632D2EA78690D8278

Function 004E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00523018,0052305C), ref: 004E81BF
CloseHandle.KERNEL32 ref: 004E81D1

Strings

\0R, xrefs: 004E818A

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0R
API String ID: 3712363035-3234072813
Opcode ID: 2ed681e4d552527897de401306a591bc68d812aae95366a9a0250fe35a9b1746
Instruction ID: 963de987f1649440beea37d357fd25f301a3c2333af23cc7a800a760e1458c51
Opcode Fuzzy Hash: 2ed681e4d552527897de401306a591bc68d812aae95366a9a0250fe35a9b1746
Instruction Fuzzy Hash: 7CF05EB1640310BAE3206761AC89FB73A9CEF16755F004425BF0CD91A2D67D8A0592FC

Function 004D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D7493
_wcslen.LIBCMT ref: 004D74B9

Strings

3, 3, 16, 1, xrefs: 004D7483

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 03ba7ad9e66086bbc005f2f82577c64b78bcbfb7d85f6558a9372355d75aa8c7
Instruction ID: 89c10d02f46e4c153a796e9257c1faf0fc4600a56c16b4aede3265ccae8e5e39
Opcode Fuzzy Hash: 03ba7ad9e66086bbc005f2f82577c64b78bcbfb7d85f6558a9372355d75aa8c7
Instruction Fuzzy Hash: 6BE02B82204220119232127B9CD19BF5A89DFC9760710182FFA89C2366FB9C8D9193A9

Function 004B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004B0B23

Strings

Error allocating memory., xrefs: 004B0B1C
AutoIt, xrefs: 004B0B17

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f148249133dabf29dabeb5fe23f695c3a4ac4af691bab7b47aa1aaf7f056a557
Instruction ID: f183ea86e40eb03bf31fc6ba8b4eaca0f4ab9096b8011610861ab9983a23e622
Opcode Fuzzy Hash: f148249133dabf29dabeb5fe23f695c3a4ac4af691bab7b47aa1aaf7f056a557
Instruction Fuzzy Hash: 20E0D83128434826D2143696BC43FD97E849F05B2AF20442FFB98955C39BEA689046EE

Function 00470D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0046F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00470D71,?,?,?,0045100A), ref: 0046F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0045100A), ref: 00470D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0045100A), ref: 00470D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00470D7F

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 04fbb964ca9dc6cf24e49c894f75db9ed03618ce0fabea4d57f9faddb7b86bf5
Instruction ID: b165fa88654d4f79fdb1c207da81ad20c8a8e6b9fd4a6c41a636dca71f4ebf7e
Opcode Fuzzy Hash: 04fbb964ca9dc6cf24e49c894f75db9ed03618ce0fabea4d57f9faddb7b86bf5
Instruction Fuzzy Hash: 78E06D746017818FD3309FBDE4443967BE0AF10749F00897EE48ACA652EBB8F4498B99

Function 0046E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0046E3D5

Strings

8%R, xrefs: 0046E3CA
0%R, xrefs: 0046E3B5

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%R$8%R
API String ID: 1385522511-1208163964
Opcode ID: 3216ebf02290777d4ffcc38e480f80c18e89916e2420893660c66de946dad7cf
Instruction ID: 192d163576a5a28b1a8fef910b7ccd1ec82681ea315ee8f6f363b1437edbf6cd
Opcode Fuzzy Hash: 3216ebf02290777d4ffcc38e480f80c18e89916e2420893660c66de946dad7cf
Instruction Fuzzy Hash: BDE0203DA01920DBC61C971EF45498833D1FF16324F50816BE8018F3D1AB3C6C83954E

Function 004C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004C3044

Strings

aut, xrefs: 004C3038

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6c771bb8ec57b4a72a8db3c88af5280794dcc69338662c123c3341c52f21be19
Instruction ID: 10109a587ab56b56fc784c10b48f37be6144d1fe59c6ec2da445c025ffae92dc
Opcode Fuzzy Hash: 6c771bb8ec57b4a72a8db3c88af5280794dcc69338662c123c3341c52f21be19
Instruction Fuzzy Hash: 5BD05B7190031467DA2097949C8DFC73A6CEB04751F0001A17755D6091DAB09585CAD4

Function 004AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004AD220

Strings

X64, xrefs: 004AD2A8
%.3d, xrefs: 004AD22B

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2a5b34ad3dadda6521407fcd3dd3eac2adda8816bbe192280fc0b39f910458e4
Instruction ID: b66fed9890a774e56c707c5a358819375f7beb90e593df7ebdb7d0c221a19af6
Opcode Fuzzy Hash: 2a5b34ad3dadda6521407fcd3dd3eac2adda8816bbe192280fc0b39f910458e4
Instruction Fuzzy Hash: 09D012B2C08109EACB5096D0DC85AF9B37CBB29301F5084A3F90791440E62CD54AE76B

Function 004E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E236C
PostMessageW.USER32(00000000), ref: 004E2373

Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3

Strings

Shell_TrayWnd, xrefs: 004E2365

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 095c321e786470c3420157055fa3c0148efa198e3fc7abeb4f1973c0953d6a85
Instruction ID: 067cab65a2d3077fb69569742d7fe273ae2079c65e229c77fab35ec559622ae5
Opcode Fuzzy Hash: 095c321e786470c3420157055fa3c0148efa198e3fc7abeb4f1973c0953d6a85
Instruction Fuzzy Hash: E3D0C976381350BAE664A7719C8FFC66A14AB44B14F0049267645AA1D1C9A4B8468A58

Function 004E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004E233F

Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3

Strings

Shell_TrayWnd, xrefs: 004E2325

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 086539ce94fedd3a70f98cb2a53cce9695973c840eea0c282314125459374f33
Instruction ID: 3d22147c3a388d6300c8463b1aae1e63fba9dd54ded6adf92df6c2c52a9c7130
Opcode Fuzzy Hash: 086539ce94fedd3a70f98cb2a53cce9695973c840eea0c282314125459374f33
Instruction Fuzzy Hash: 72D0A936380350BAE264A3319C8FFC66A04AB00B00F0009267205AA0D1C9A0A8028A18

Function 0048BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0048BE93
GetLastError.KERNEL32 ref: 0048BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0048BEFC

Memory Dump Source

Source File: 00000000.00000002.2042228999.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.2042213639.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042281748.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042325061.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042341919.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_450000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 03f72e62e8daa0af8ad40ed78671e00004084d7b2dfa36b5161312dce0e7ea4a
Instruction ID: 6bc79184ce2b0466bb176ad104b07fd7acbaf86b88d74cc85cdba2ab19560832
Opcode Fuzzy Hash: 03f72e62e8daa0af8ad40ed78671e00004084d7b2dfa36b5161312dce0e7ea4a
Instruction Fuzzy Hash: 8B41D835604206AFCF21AF65CC84ABF7BA5DF41310F14856AFB599B2A1DB348D01CB99

Source: global traffic	TCP traffic: 192.168.2.5:55424 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:65369 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241
Source: unknown	TCP traffic detected without corresponding DNS query: 40.69.42.241

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1743275230&timestamp=1727844846705 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=X6Gm0XeH7alFikPjSLQ-9Wht35UyUmcSDRjAWPo450ZHv2-6siHHTslxbJxkmxr47sS9yzilzIYeJwJD_hmtTztdkVnze5JqKkmyNKhGxDR7qKT9oYKCNKm9nTtleyk20eGbXQ2VPVkEOXppxiG4fbBKIoWJrJ821QScqqtLdOoRdQWc7aE
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HMxa9fK6xWHNTxF&MD=rMK4+myP HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_2110720458\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6048_393236696\manifest.json

Chrome Cache Entry: 172

Windows Analysis Report
file.exe

Function 004542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre