Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524247
MD5:	eab946495e838f5895a34747e727374f
SHA1:	4a84d185f610365603daa293e0883d0f045a33f4
SHA256:	89e33273c7be2242b9f7cf00dbf12aa0023071d74e4aeb8ab475c41a40752361
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

file.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EAB946495E838F5895A34747E727374F)

chrome.exe (PID: 5332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5604 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5800	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_103.4.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_103.4.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2110768342.00000000016E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdn
Source: chromecache_100.4.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_103.4.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_107.4.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_100.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_100.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_103.4.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_107.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_103.4.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_107.4.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_107.4.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_100.4.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_103.4.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_107.4.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_103.4.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_100.4.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_103.4.dr	String found in binary or memory: https://www.google.com
Source: chromecache_107.4.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_100.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_107.4.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_107.4.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2079605712.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_107.4.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_007CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_007BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2077162723.0000000000812000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14decdbd-2
Source: file.exe, 00000000.00000000.2077162723.0000000000812000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_87ab0cd7-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ca1339e3-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_696f517a-1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_007B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00758060	0_2_00758060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C2046	0_2_007C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B8298	0_2_007B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078E4FF	0_2_0078E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078676B	0_2_0078676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E4873	0_2_007E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075CAF0	0_2_0075CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077CAA0	0_2_0077CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076CC39	0_2_0076CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00786DD9	0_2_00786DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076B119	0_2_0076B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007591C0	0_2_007591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771394	0_2_00771394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771706	0_2_00771706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077781B	0_2_0077781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076997D	0_2_0076997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00757920	0_2_00757920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007719B0	0_2_007719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00777A4A	0_2_00777A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771C77	0_2_00771C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00777CA7	0_2_00777CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DBE44	0_2_007DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00789EEE	0_2_00789EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771F32	0_2_00771F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00770A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0076F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00759CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@31/38@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C37B5 GetLastError,FormatMessageW,

0_2_007C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B10BF AdjustTokenPrivileges,CloseHandle,		0_2_007B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007BD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_007C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007542A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5604 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5604 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00770A76 push ecx; ret

0_2_00770A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0076F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96594

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 3524

Thread sleep count: 108 > 30

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078C2A2 FindFirstFileExW,	0_2_0078C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C68EE FindFirstFileW,FindClose,	0_2_007C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_007C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_007C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_007C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007542DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CEAA2 BlockInput,

0_2_007CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00782622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00782622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00774CE8 mov eax, dword ptr fs:[00000030h]

0_2_00774CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_007B0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00782622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00782622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0077083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007709D5 SetUnhandledExceptionFilter,	0_2_007709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00770C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00770C21

Source: C:\Users\user\Desktop\file.exe

0_2_007B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00792BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00792BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BB226 SendInput,keybd_event,

0_2_007BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007D22DA

Source: C:\Users\user\Desktop\file.exe

0_2_007B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00770698 cpuid

0_2_00770698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_007C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007AD27A GetUserNameW,

0_2_007AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0078B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5800, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5800, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.78	true	false	unknown
www3.l.google.com	216.58.206.46	true	false	unknown
play.google.com	172.217.18.110	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
youtube.com	142.250.185.78	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_107.4.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_107.4.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_100.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_103.4.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_100.4.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_103.4.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_107.4.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_107.4.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_103.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_107.4.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_103.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	www3.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false
172.217.18.110	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524247
Start date and time:	2024-10-02 17:23:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@31/38@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 40 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.181.238, 142.251.168.84, 34.104.35.123, 142.250.186.106, 142.250.184.202, 142.250.186.74, 142.250.181.234, 142.250.186.138, 142.250.185.202, 142.250.184.234, 142.250.185.106, 216.58.206.74, 142.250.185.74, 172.217.16.202, 172.217.18.106, 142.250.185.138, 142.250.185.234, 142.250.185.170, 216.58.212.138, 142.250.185.195, 142.250.184.195, 216.58.212.170, 142.250.74.202, 216.58.206.42, 142.250.186.42, 172.217.18.10, 142.250.186.170, 199.232.210.172, 192.229.221.95, 142.250.186.67, 74.125.206.84, 93.184.221.240, 142.250.186.174
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://view.flodesk.com/emails/66fd2053af85c99dd55d1461	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://546546546.pages.dev/qweqr?msharing=service@jpplus.com	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://svsjie.us9.list-manage.com/track/click?u=65baddd8dc4a29452f1a28eb2&id=dde4f4d149&e=6d04ecfe32	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	test.exe	Get hash	malicious	Babadeda	Browse	23.1.237.91
	exit.exe	Get hash	malicious	Babadeda	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	Remittance[26].htm	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	https://svsjie.us9.list-manage.com/track/click?u=65baddd8dc4a29452f1a28eb2&id=dde4f4d149&e=6d04ecfe32	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	test.exe	Get hash	malicious	Babadeda	Browse	184.28.90.27 20.114.59.183
	exit.exe	Get hash	malicious	Babadeda	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 14:24:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9809085689619774
Encrypted:	false
SSDEEP:	48:8SdayT6+VlHFeidAKZdA19ehwiZUklqehAy+3:8YLr0/y
MD5:	BD18DC48C93548A74F866058C925261A
SHA1:	4B9EA3D921BA1818999F81661EA052E625AFD048
SHA-256:	DF285D2BB85594C190BBB00C79FFF2A8DA1C6AA4E7F357A44A4B6400FF8AC6BA
SHA-512:	F8B906A214F23577D6E07322910D50DDF634F4B2880420285B86885B538CFAAF6D67DF2257E02414E9D8EED466415CAF9722F2BD471A8A76093BAE2F57880B31
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....W..7....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 14:24:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9972713180758217
Encrypted:	false
SSDEEP:	48:8U2dayT6+VlHFeidAKZdA1weh/iZUkAQkqehvy+2:8U0LrG9Qay
MD5:	F85A0BD7ACB590BD8D9D5511754D10F5
SHA1:	0F7F1F84252B24E163270C4528F62C1275581449
SHA-256:	2CEC059022C59DFEB64B8698B3C21EC412B845E471331C52B5A6A6526059D93A
SHA-512:	8F68E29C842576CBC5CA8D21F4D82635F1A0DBA2954BC45D9B839AFE128636D30ED80D4ED43ACEE6765F79AB1D0E77F6101786C571A1D0ADBF5725F50D2FE4C5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....i..7....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.008279382810784
Encrypted:	false
SSDEEP:	48:8x2dayT6+VsHFeidAKZdA14tseh7sFiZUkmgqeh7sZy+BX:8x0LMunby
MD5:	E8FB373316CCCB4206C022C9502128D2
SHA1:	D4CFD32A5DD80168710FBF92BE4CD3D9D75A9D51
SHA-256:	F9FD992E3C87686E8BD01723D8EFFE45D114C1DADAC6FF91E988A71A3B7D1E04
SHA-512:	D9E0E21BBF3A518236ABE97DC1907B83838CCF9FC9295D6ED0C262E52CBFCE80417F151A06A82C8FE68F98FD9FF7077AD3031329D305C5BBB2DEBCD5E547FF39
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 14:24:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9977971387203906
Encrypted:	false
SSDEEP:	48:8VdayT6+VlHFeidAKZdA1vehDiZUkwqehTy+R:8RLrNRy
MD5:	43CF6121D9471C4A7B4F7EE38661A1ED
SHA1:	FF558FB2E64C8FCB01D31ED5FD04387B43ED423D
SHA-256:	62A7B285C6DCBA265AD3E1169922E54A34BC1ABD2CF4DDB150669B595E2EF6B5
SHA-512:	1577CEAC3CD0C896D7B284A9160D7113B95EBDE36B6AD671A46BE2F6B6FCF46A32EF8F37BC3FAE29B5D21D25ED51B9B3AD43F425119468DE889C8E5C5DA5F9ED
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......7....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 14:24:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.985902634456948
Encrypted:	false
SSDEEP:	48:88dayT6+VlHFeidAKZdA1hehBiZUk1W1qehFy+C:8+LrN9ly
MD5:	5F21ACDE699D7361FFEB8408DB616803
SHA1:	74679AB184AB593C87236447A6961FF1C3E76B31
SHA-256:	D50BDBA9757A21884750271B23DE8832FA23A8C9DC634B2A4AE33AAF6E20E19A
SHA-512:	8069EA5F5CC91CD999840A09F928E910532B0D8CB0FD703F7826B85EF7FCC4E5F1EACAA3E47E3FEFCA6A977B1FF0A9B60DF2A255BB7211C69858FAEAC124893C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......7....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 14:24:47 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9940903402173
Encrypted:	false
SSDEEP:	48:8edayT6+VlHFeidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbby+yT+:8MLrRT/TbxWOvTbby7T
MD5:	9AC6BF5E55327F84D2DAE9AF22ED21C6
SHA1:	AF153F221CDED4325B3A6F37F084DC106C2B7C02
SHA-256:	D7D0C1119CC99F5AD5D84272B8566E8462F7481E659F8822D80D9B5437356D4B
SHA-512:	2EC30F91AF3ECE9B4A3D76BA9E9FF5D0E0C2EDDBB5D885C8B3929D1011A30DB1EC8D44F6C1F5EEE06CCC92190D06EBDFACA20B5EEF3F1106E1E4BE33B5FC3CEF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....e!q7....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY.{....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.{....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY.{....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY.{..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.{...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791085889652278
Encrypted:	false
SSDEEP:	6144:aVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:7fd8j91/N
MD5:	D20AA383CD31013B68BB10390CBE0230
SHA1:	2DF35559BBA0B93FE305C4B828324E9F9EFA234D
SHA-256:	9F91BD315E202B9EC035C25EFFCE646CEC9AB1E8599496198AA8BEC437CDD228
SHA-512:	EA023EEB24C48A2F463E0CFC9107C6FCD76BBA9292ED49839AAF0AC7845DBD48AB4876376A6A7D4EE902B0649BFE5E0AC2960D954079A94BF2F64A5BC2CBCD9C
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHJL2nU2EL_uUPBIEb5OQMKdqHGhg/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081e4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2544)
Category:	downloaded
Size (bytes):	358799
Entropy (8bit):	5.624587482410481
Encrypted:	false
SSDEEP:	6144:T/wM8RGYcBlKmhCxiDlnc0pYMSrBg5X3rU:TD8XxEdA
MD5:	A51DFF6CB98C15CBA0A2B688CC0A862F
SHA1:	5CF15DBD322A0F9CF3A820013E185EC2EDD56BB0
SHA-256:	854215C9FE46B6029883F37C44512F7EB10BA97FC7A623C237DC6824BD92DB1E
SHA-512:	D1036F2C4AE71BE22315D5AEC062E1D59EA2570D7138B97F367149C9622BEE35EAC1DBE9818AC7BE107D88683089EBE220951D025CC11908055B108B27D7BD86
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,EFQ78c,EIOG1e,GwYlN,I6YDgd,IZT63,K0PMbc,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,y5vRwf,zbML3c,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 104

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 105

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 106

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4066
Entropy (8bit):	5.363016925556486
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
MD5:	FC5E597D923838E10390DADD12651A81
SHA1:	C9959F8D539DB5DF07B8246EC12539B6A9CC101F
SHA-256:	A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
SHA-512:	784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3190)
Category:	downloaded
Size (bytes):	339747
Entropy (8bit):	5.53363647964667
Encrypted:	false
SSDEEP:	3072:Vuv7kVKtaVFuzDXG6ZfzeelpRv9xqjne01T2HemAIaDlC6diGVOY50UlRQQIBeDq:svaKtM6ZfTxene0F2HemAaGP6BBe2
MD5:	D2D05D80ACF53F04C1BEB6A387216F5E
SHA1:	6E8B87D352419E28C5F8E3881787DC6C56CEB26E
SHA-256:	4BA0D4EA27446C609D515539A334E3B16A4AC7BF936A996CF7E3927FFDDD569F
SHA-512:	966582697B455B2DDC52210A0F46EFD77EDC67D668E7FC2F14E18DF38E8595472AB76ED17B9D2928E16FA987E3231C2A45D9BD52D9DC2CE7E4C394E2453518E6
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".EE6QGf{border-bottom-style:solid;border-bottom-width:1px;padding:16px;width:100%;z-index:6;background:#fff;background:var(--gm3-sys-color-surface-container-lowest,#fff);border-color:#c4c7c5;border-color:var(--gm3-sys-color-outline-variant,#c4c7c5);display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}@media (min-width:600px){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}@media (min-width:600px) and (orientation:landscape){.EE6QGf{display:block;position:relative}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:inherit}}@media (min-width:960px) and (orientation:landscape){.EE6QGf{align-items:center;display:flex;left:0;position:fixed;top:0}.EE6QGf~.S7xv8,.EE6QGf~.gfM9Zd{padding-top:150px}}.PZB4Lc{display:flex;width:100%}.YLIzab{font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1rem;font-weight:500;letter-spacing:0rem;line-height:1

Chrome Cache Entry: 108

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1416
Entropy (8bit):	5.275155058463166
Encrypted:	false
SSDEEP:	24:kMYD7hqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87O/BprGJ:o7hv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4DB6842CDFAC9E03D7C1CF87E398B357
SHA1:	08158AB8F5947E048C88A1289E9E8CE9641B7CE9
SHA-256:	8991D23B586608AE114E150355FF192B30A379EAB1DC3F1444109DDC52B13AC1
SHA-512:	FB7C461DFB96B10E099C3BA41C45AA904BB7D473EF0D44BD6A2E841BC44336DD5F1C9B73919B79A6BF4AA13B806E742F2003A16528E995374E210BB4C3E96EFA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e){if($Za)if(e instanceof _.lf){if(!e.status\|\|

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1652
Entropy (8bit):	5.269909938363071
Encrypted:	false
SSDEEP:	48:o72ZrNZDuZW4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyRuZMNAY+1i4HoBNG2Ilw
MD5:	63E5B24335CCDC457DD0B69AD1891CF9
SHA1:	8DD3AED0737BEDBEE133BA564D3CA43579A138F7
SHA-256:	FB72BE79F85659D5AF831FD644C4702EA5BFC6E6A90CDB156DE0816B179278C0
SHA-512:	EC3A143FED571A7FC490433F11DDBD66752E42F0BAC476F79F9B8310DB0419CAE2B8CD65F1283D590F5979F4CC1FB8B2610F106BF38E0B93F384201B8BF5E5DA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=xUdipf,OTA3Ae,A1yn5d,fKUV3e,aurFic,Ug7Xab,NwH0H,OmgaI,gychg,w9hDv,EEDORb,Mlhmy,ZfAoz,kWgXee,ovKuLd,yDVVkb,ebZ3mb,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,iAskyc,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=5IFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A1yn5d,A7fCU,AvtSve,CMcBD,E87wgc,EEDORb,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,Mlhmy,MpJwZc,NOeYWe,NTMZac,NwH0H,O6y8ed,OTA3Ae,OmgaI,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,Ug7Xab,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZfAoz,ZwDk9d,_b,_tp,aC1iue,aW3pY,aurFic,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,ebZ3mb,f8Gu1e,fKUV3e,gJzDyc,gychg,hc6Ubd,inNHtf,iyZMqd,kWgXee,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,ovKuLd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xUdipf,xiZRqc,y5vRwf,yDVVkb,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlEr6KOaFsGvhdDsnkaRQWWkVkg2lQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.581959778698425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	eab946495e838f5895a34747e727374f
SHA1:	4a84d185f610365603daa293e0883d0f045a33f4
SHA256:	89e33273c7be2242b9f7cf00dbf12aa0023071d74e4aeb8ab475c41a40752361
SHA512:	369e27e0e4e905ced78f45b701cc8f26ff562a4559214c61d10f446609f4d16d2f02fa101cd65a4976f0a8f8b23f3d96ab403051a7a842ee5b27192091498629
SSDEEP:	12288:kqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTm:kqDEvCTbMWu7rQYlBQcBiT6rprG8aLm
TLSH:	26159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD59D9 [Wed Oct 2 14:34:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6BDC836F93h
jmp 00007F6BDC83689Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6BDC836A7Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6BDC836A4Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6BDC83963Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6BDC839688h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6BDC839671h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x982c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x982c	0x9a00	3076a4d76d665fc7671714856a794af2	False	0.2962662337662338	data	5.2716959872850335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xaf4	data			1.003922967189729
RT_GROUP_ICON	0xdd2ac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd324	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd338	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd34c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd360	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd43c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 17:24:39.858166933 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:39.858170986 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:39.967572927 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:46.542527914 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:46.542589903 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:46.542643070 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:46.542848110 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:46.542865992 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.204283953 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.204632998 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.204664946 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.205213070 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.205274105 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.206218004 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.206260920 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.207634926 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.207717896 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.208328009 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.208352089 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.260524988 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.515100956 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.515953064 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.516022921 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.517554045 CEST	49705	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.517570019 CEST	443	49705	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.529392004 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.529437065 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:47.529700994 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.530035019 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:47.530051947 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.187670946 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.188029051 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.188070059 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.188720942 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.188805103 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.189719915 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.189769030 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.190887928 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.190982103 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.191212893 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.191230059 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.244901896 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.493499994 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.493570089 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.493649960 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.493680954 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.494095087 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:48.494158030 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.565392971 CEST	49710	443	192.168.2.5	142.250.185.78
Oct 2, 2024 17:24:48.565423012 CEST	443	49710	142.250.185.78	192.168.2.5
Oct 2, 2024 17:24:49.463644981 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:49.464025021 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:49.573184967 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:49.957791090 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:49.957839012 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:49.957901955 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:49.958178997 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:49.958194017 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.594976902 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.595721960 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:50.595742941 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.597161055 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.597223043 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:50.598788023 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:50.598876953 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.651228905 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:50.651242971 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:50.698244095 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:51.239165068 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 17:24:51.239270926 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:24:51.437158108 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:51.437196970 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:51.437268019 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:51.439939976 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:51.439951897 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.082598925 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.082771063 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.088574886 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.088614941 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.088989973 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.142868996 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.150043964 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.195408106 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.356848001 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.356909990 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.356977940 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.357117891 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.357168913 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.357199907 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.357215881 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.389527082 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.389569998 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:52.389662027 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.389966011 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:52.389981031 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.030814886 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.030884981 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.032428980 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.032435894 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.032670021 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.033772945 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.075402021 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.306265116 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.306344986 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.306685925 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.364355087 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.364397049 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:53.364448071 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 17:24:53.364455938 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 17:24:56.172306061 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.172354937 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.172430038 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.172842979 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.172861099 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.832581997 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.832921982 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.832947969 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.833534002 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.833590984 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.834261894 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.834314108 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.835530043 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.835589886 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.835783005 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:56.835789919 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:56.885413885 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.149669886 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.149810076 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.149893045 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.149909019 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.149939060 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.150006056 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.155261040 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.155333996 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.161381006 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.161412001 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.161439896 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.161453009 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.161464930 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.167680025 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.168926954 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.168936014 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.173964977 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.173998117 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.174083948 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.174118996 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.174665928 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.237580061 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.237654924 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.237911940 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.237956047 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.238037109 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.238106966 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.244172096 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.244210958 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.244280100 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.244299889 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.244709015 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.244725943 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.244755030 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:57.244921923 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.245342970 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.245361090 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:57.252396107 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.252458096 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.256845951 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.257209063 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.257220984 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.263030052 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.263082027 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.263092995 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.269594908 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.269896984 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.269965887 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.274231911 CEST	49733	443	192.168.2.5	216.58.206.46
Oct 2, 2024 17:24:57.274249077 CEST	443	49733	216.58.206.46	192.168.2.5
Oct 2, 2024 17:24:57.382829905 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.382874966 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:57.382966995 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.383424997 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:57.383444071 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.013935089 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.014209986 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.014245033 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.015507936 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.015582085 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.018006086 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.018074036 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.019072056 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.019156933 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.019274950 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.026278973 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.027668953 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.027682066 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.028192043 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.028259993 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.028918028 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.028984070 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.029135942 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.029218912 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.029318094 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.059009075 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.059027910 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.071434021 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.074197054 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.074210882 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.105961084 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.121963978 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.321574926 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.321758032 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.321852922 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.327789068 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.328577042 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.328668118 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.347608089 CEST	49738	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.347632885 CEST	443	49738	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.348576069 CEST	49737	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.348592043 CEST	443	49737	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.350783110 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.350821972 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.351140022 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.352595091 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.352608919 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.352807045 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.353369951 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.353391886 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.353835106 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.353844881 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.990936041 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.991415024 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.991436958 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.991817951 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.992538929 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.992594004 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.992594004 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.992610931 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.992856979 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.992922068 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:58.993046999 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.993047953 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:58.993056059 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.017694950 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.020889044 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.020915031 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.021287918 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.022011042 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.023915052 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.023915052 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.023927927 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.026935101 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.026935101 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.026935101 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.026961088 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.027024031 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.035398960 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.043029070 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.074973106 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.074997902 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.127552986 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.229259014 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.229429007 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.229579926 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.231815100 CEST	49742	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.231836081 CEST	443	49742	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.282529116 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.282680035 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.283427954 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.284893990 CEST	49741	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:24:59.284910917 CEST	443	49741	172.217.18.110	192.168.2.5
Oct 2, 2024 17:24:59.598541021 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:59.639413118 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.865850925 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.865900040 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.865943909 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.865981102 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.866061926 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:59.866095066 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.866111040 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:24:59.866122961 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:59.866250992 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:59.868119001 CEST	49714	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:24:59.868135929 CEST	443	49714	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:00.313071012 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:00.313122988 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:00.313211918 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:00.314951897 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:00.314963102 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:01.114479065 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:01.114666939 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:01.141657114 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:01.141689062 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:01.142039061 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:01.197854042 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.176923037 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.187899113 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.188148975 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.188587904 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.188635111 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:02.188704014 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.188981056 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.188992977 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:02.192738056 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:02.192925930 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:02.223412037 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444547892 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444576979 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444585085 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444645882 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.444653034 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444701910 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444727898 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444756985 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.444770098 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.444849968 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.444849968 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.444945097 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.445017099 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.445023060 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.445055962 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.445099115 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.804049969 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:02.804136038 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:02.962805986 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.962845087 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:02.962877035 CEST	49747	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:02.962883949 CEST	443	49747	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:03.700726986 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:03.700762033 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:03.701159000 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:03.704960108 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:03.735672951 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:03.735752106 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:03.751605034 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:03.751645088 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:04.415590048 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:04.415775061 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:04.416419983 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:04.416486979 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:04.416558027 CEST	443	49753	23.1.237.91	192.168.2.5
Oct 2, 2024 17:25:04.416611910 CEST	49753	443	192.168.2.5	23.1.237.91
Oct 2, 2024 17:25:04.769897938 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:04.769958973 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:04.770153046 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:04.770503044 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:04.770525932 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.409749985 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.410024881 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.410039902 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.410434961 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.410767078 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.410837889 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.410947084 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.410969973 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.410980940 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.773027897 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.774167061 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:05.774250031 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.776350975 CEST	49756	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:05.776380062 CEST	443	49756	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:27.838601112 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:27.838660002 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:27.838767052 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:27.845268965 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:27.845288038 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.654045105 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.654095888 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.654175997 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.654573917 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.654591084 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.690711975 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.691183090 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.691235065 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.691695929 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.692097902 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.692178011 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.692267895 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.692285061 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.692292929 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.716228962 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.716279984 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.716365099 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.716806889 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.716825008 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.993510962 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.994266033 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:28.994330883 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.994842052 CEST	49758	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:28.994863987 CEST	443	49758	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.330507994 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.330882072 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.330904007 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.332144976 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.332525969 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.332703114 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.332722902 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.332782984 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.332804918 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.363333941 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.363708973 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.363729954 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.364967108 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.365417957 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.365596056 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.365690947 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.365701914 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.365731001 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.633311033 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.634066105 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.634172916 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.634290934 CEST	49759	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.634310007 CEST	443	49759	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.667808056 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.668287039 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:29.668391943 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.668663025 CEST	49760	443	192.168.2.5	172.217.18.110
Oct 2, 2024 17:25:29.668690920 CEST	443	49760	172.217.18.110	192.168.2.5
Oct 2, 2024 17:25:39.410198927 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:39.410244942 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:39.410348892 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:39.410763025 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:39.410777092 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:40.735981941 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:40.736162901 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:40.740228891 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:40.740246058 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:40.740499973 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:40.750329971 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:40.795406103 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.081954956 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.081985950 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.082067966 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.082071066 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.082092047 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.082135916 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.082160950 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.083251953 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.083323002 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.083328009 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.083372116 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.083399057 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.083432913 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.087605000 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.087641954 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:41.087660074 CEST	49761	443	192.168.2.5	20.114.59.183
Oct 2, 2024 17:25:41.087666988 CEST	443	49761	20.114.59.183	192.168.2.5
Oct 2, 2024 17:25:50.008434057 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:50.008475065 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.008570910 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:50.008785963 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:50.008800030 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.661750078 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.662267923 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:50.662287951 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.662641048 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.663033962 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:50.663100004 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:25:50.714060068 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:25:58.209667921 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.209712029 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.209793091 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.210089922 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.210100889 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.867208004 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.867635965 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.867652893 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.868035078 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.868407011 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.868470907 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:58.868591070 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.868657112 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:58.868663073 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.154757977 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.154835939 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.154944897 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.155318975 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.155334949 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.172288895 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.172957897 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.173058987 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.173291922 CEST	49765	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.173307896 CEST	443	49765	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.826911926 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.827280998 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.827315092 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.827711105 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.828058004 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.828121901 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:25:59.828263998 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.828280926 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:25:59.828290939 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:00.127355099 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:00.127590895 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:00.127691031 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:00.127986908 CEST	49766	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:00.128005028 CEST	443	49766	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:00.594422102 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:00.594497919 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:00.594618082 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:13.731021881 CEST	49763	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:13.731051922 CEST	443	49763	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:28.404422045 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:28.404469013 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:28.404597044 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:28.404995918 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:28.405011892 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.055598974 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.055921078 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.055936098 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.056315899 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.056678057 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.056744099 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.056896925 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.056915045 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.056926966 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.375024080 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.376180887 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:29.376302958 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.376605034 CEST	49769	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:29.376627922 CEST	443	49769	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.169727087 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.169775009 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.169874907 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.170181036 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.170200109 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.799725056 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.800040007 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.800055981 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.800415993 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.800827026 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.800892115 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.800905943 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.800925016 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:32.800936937 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:32.855294943 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:33.098141909 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:33.098462105 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:33.098623991 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:33.098685980 CEST	49770	443	192.168.2.5	142.250.184.206
Oct 2, 2024 17:26:33.098705053 CEST	443	49770	142.250.184.206	192.168.2.5
Oct 2, 2024 17:26:50.059845924 CEST	49771	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:50.059883118 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.059971094 CEST	49771	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:50.060225964 CEST	49771	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:50.060239077 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.716645002 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.718679905 CEST	49771	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:50.718723059 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.719034910 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.719402075 CEST	49771	443	192.168.2.5	216.58.206.68
Oct 2, 2024 17:26:50.719466925 CEST	443	49771	216.58.206.68	192.168.2.5
Oct 2, 2024 17:26:50.763088942 CEST	49771	443	192.168.2.5	216.58.206.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 17:24:46.531960011 CEST	57766	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:46.532098055 CEST	62174	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:46.538507938 CEST	53	58209	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:46.538878918 CEST	53	62174	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:46.541856050 CEST	53	57766	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:46.551937103 CEST	53	51055	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:47.521322966 CEST	52508	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:47.521492958 CEST	53689	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:47.528337955 CEST	53	52508	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:47.528415918 CEST	53	53689	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:47.560615063 CEST	53	58523	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:49.949538946 CEST	60141	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:49.949709892 CEST	65103	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:49.956609011 CEST	53	60141	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:49.956938982 CEST	53	65103	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:51.129092932 CEST	53	58724	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:53.209969044 CEST	53	50471	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:56.150731087 CEST	62715	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:56.150971889 CEST	65396	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:56.157711029 CEST	53	65396	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:56.157805920 CEST	53	62715	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:57.233201981 CEST	60957	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:57.233383894 CEST	53846	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:24:57.240258932 CEST	53	60957	1.1.1.1	192.168.2.5
Oct 2, 2024 17:24:57.241123915 CEST	53	53846	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:04.503612041 CEST	53	57054	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:23.410057068 CEST	53	64805	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:45.431294918 CEST	53	55079	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:45.833339930 CEST	53	49669	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:57.809279919 CEST	53	52451	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:58.201838970 CEST	49810	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:25:58.201984882 CEST	50836	53	192.168.2.5	1.1.1.1
Oct 2, 2024 17:25:58.208971024 CEST	53	49810	1.1.1.1	192.168.2.5
Oct 2, 2024 17:25:58.209264994 CEST	53	50836	1.1.1.1	192.168.2.5
Oct 2, 2024 17:26:13.921173096 CEST	53	50315	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 17:24:46.531960011 CEST	192.168.2.5	1.1.1.1	0x8417	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:46.532098055 CEST	192.168.2.5	1.1.1.1	0x3bbc	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 17:24:47.521322966 CEST	192.168.2.5	1.1.1.1	0x6437	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.521492958 CEST	192.168.2.5	1.1.1.1	0xb843	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 17:24:49.949538946 CEST	192.168.2.5	1.1.1.1	0xa4c9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:49.949709892 CEST	192.168.2.5	1.1.1.1	0x2f0e	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 17:24:56.150731087 CEST	192.168.2.5	1.1.1.1	0x2075	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:56.150971889 CEST	192.168.2.5	1.1.1.1	0x8aad	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 17:24:57.233201981 CEST	192.168.2.5	1.1.1.1	0xedff	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:57.233383894 CEST	192.168.2.5	1.1.1.1	0x485d	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 17:25:58.201838970 CEST	192.168.2.5	1.1.1.1	0x1859	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:25:58.201984882 CEST	192.168.2.5	1.1.1.1	0x5b73	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 17:24:46.538878918 CEST	1.1.1.1	192.168.2.5	0x3bbc	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 17:24:46.541856050 CEST	1.1.1.1	192.168.2.5	0x8417	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528337955 CEST	1.1.1.1	192.168.2.5	0x6437	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528415918 CEST	1.1.1.1	192.168.2.5	0xb843	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 17:24:47.528415918 CEST	1.1.1.1	192.168.2.5	0xb843	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 17:24:49.956609011 CEST	1.1.1.1	192.168.2.5	0xa4c9	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:49.956938982 CEST	1.1.1.1	192.168.2.5	0x2f0e	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 17:24:56.157711029 CEST	1.1.1.1	192.168.2.5	0x8aad	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 17:24:56.157805920 CEST	1.1.1.1	192.168.2.5	0x2075	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 17:24:56.157805920 CEST	1.1.1.1	192.168.2.5	0x2075	No error (0)	www3.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:24:57.240258932 CEST	1.1.1.1	192.168.2.5	0xedff	No error (0)	play.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:25:58.208971024 CEST	1.1.1.1	192.168.2.5	0x1859	No error (0)	play.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

www.bing.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	142.250.185.78	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:47 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:47 UTC	1919	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 15:24:47 GMT Date: Wed, 02 Oct 2024 15:24:47 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: YSC=W4sg3HhEEqg; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	142.250.185.78	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:48 UTC	902	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: YSC=W4sg3HhEEqg
2024-10-02 15:24:48 UTC	2530	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 15:24:48 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 15:54:48 GMT; Path=/; Secure; HttpOnly Set-Cookie: VISITOR_INFO1_LIVE=8S2ZWbp0DoU; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 15:24:48 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgTg%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 15:24:48 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:52 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 15:24:52 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=91258 Date: Wed, 02 Oct 2024 15:24:52 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:53 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 15:24:53 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=91201 Date: Wed, 02 Oct 2024 15:24:53 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 15:24:53 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49733	216.58.206.46	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:56 UTC	1244	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-145264982&timestamp=1727882695313 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:57 UTC	1967	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-9MolqFrMIorzXR2ek84lnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 15:24:57 GMT Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw1pBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIm-Pk6a_b2QQu7NktqKSXlF8Yn5mSmleSWVKZkp-bmJmXnJ-fnZlaXJxaVJZaFG9kYGRiYGlkpGdgEV9gAAC3eS1B" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 39 4d 6f 6c 71 46 72 4d 49 6f 72 7a 58 52 32 65 6b 38 34 6c 6e 77 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="9MolqFrMIorzXR2ek84lnw">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c Data Ascii: =/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 Data Ascii: {switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b Data Ascii: ion(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f Data Ascii: G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="functio
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 Data Ascii: th.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);i
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 Data Ascii: ction(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="functi
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 Data Ascii: .isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Ma
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e Data Ascii: sure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=fun
2024-10-02 15:24:57 UTC	1967	IN	Data Raw: 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b Data Ascii: tring":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49737	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:58 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:58 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:24:58 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49738	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:58 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:58 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:24:58 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49742	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:58 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:58 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 36 39 36 35 35 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882696554",null,null,null
2024-10-02 15:24:59 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=HVjI13OaFqAmxawe8YMf6XK6yKaiwm3eEsQ8y7VRE43GXYUUcEz7HoKtKFtOIvklmAth6CyI11_zrnpJXbjP_fFS639TM8EXpE82WzhZ5z-HDz6CHsAm1XaKk-EbPCpD4aG0--hTlhIf7OcdfTNIG49T25o0uql3pg-9HjlCoXGr_Bjt7g; expires=Thu, 03-Apr-2025 15:24:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:24:59 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 15:24:59 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 15:24:59 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:24:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49741	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:59 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 15:24:59 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 36 39 36 34 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882696400",null,null,null
2024-10-02 15:24:59 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=iQ_rgBsCR40IP7ZIsV0eBK9QSSCVb4wm0QaAEm2Mt4eF2Py53p03vuonXnigkAFZxcd7_8Cu2sa3ctGd_CYxqEhvb9eULrNTgzwxa1M1_h6016H5OCJ8xZcw3re3h1KJmogJGnwfHWVazYm-ypPJLl2a5JjhR6HnOR6ETgHzEgIvQ5-5FeY; expires=Thu, 03-Apr-2025 15:24:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:24:59 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 15:24:59 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 15:24:59 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:24:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49714	216.58.206.68	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:24:59 UTC	1222	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=iQ_rgBsCR40IP7ZIsV0eBK9QSSCVb4wm0QaAEm2Mt4eF2Py53p03vuonXnigkAFZxcd7_8Cu2sa3ctGd_CYxqEhvb9eULrNTgzwxa1M1_h6016H5OCJ8xZcw3re3h1KJmogJGnwfHWVazYm-ypPJLl2a5JjhR6HnOR6ETgHzEgIvQ5-5FeY
2024-10-02 15:24:59 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:13:12 GMT Expires: Thu, 10 Oct 2024 15:13:12 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 707 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 15:24:59 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 15:24:59 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 15:24:59 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 15:24:59 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 15:24:59 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49747	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:02 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CvZ2vnRdKUFwUDn&MD=F7rlYPu7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 15:25:02 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c444bba6-2211-48a3-b6e4-691578b34131 MS-RequestId: 6b871963-772b-45ce-a166-b057da77ab5e MS-CV: kwMh1plp0kysKFfX.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 15:25:01 GMT Connection: close Content-Length: 24490
2024-10-02 15:25:02 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 15:25:02 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.5	49753	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:03 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1727882669692&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-10-02 15:25:03 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-10-02 15:25:03 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-10-02 15:25:04 UTC	476	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: C85B64E0B4224ECF9D545A45BE9858C8 Ref B: LAXEDGE1516 Ref C: 2024-10-02T15:25:04Z Date: Wed, 02 Oct 2024 15:25:04 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.5fed0117.1727882703.3fb8acb3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49756	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:05 UTC	1307	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=iQ_rgBsCR40IP7ZIsV0eBK9QSSCVb4wm0QaAEm2Mt4eF2Py53p03vuonXnigkAFZxcd7_8Cu2sa3ctGd_CYxqEhvb9eULrNTgzwxa1M1_h6016H5OCJ8xZcw3re3h1KJmogJGnwfHWVazYm-ypPJLl2a5JjhR6HnOR6ETgHzEgIvQ5-5FeY
2024-10-02 15:25:05 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 32 36 39 33 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727882693000",null,null,null,
2024-10-02 15:25:05 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44; expires=Thu, 03-Apr-2025 15:25:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:25:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 15:25:05 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 15:25:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:25:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49758	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:28 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1363 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:25:28 UTC	1363	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 32 36 39 38 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882726982",null,null,null
2024-10-02 15:25:28 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:25:28 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:25:28 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:25:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49759	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:29 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1176 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:25:29 UTC	1176	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 32 37 38 38 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882727887",null,null,null
2024-10-02 15:25:29 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:25:29 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:25:29 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:25:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49760	172.217.18.110	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:29 UTC	1298	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1039 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:25:29 UTC	1039	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 15:25:29 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:25:29 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:25:29 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:25:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49761	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:40 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CvZ2vnRdKUFwUDn&MD=F7rlYPu7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 15:25:41 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 3a540835-3397-4b3b-a339-dfddbd3f83e6 MS-RequestId: 5e5ae19d-425a-4a0c-8ffd-3a39d35eb4b9 MS-CV: 8UfepUcfWUWey+My.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 15:25:39 GMT Connection: close Content-Length: 30005
2024-10-02 15:25:41 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 15:25:41 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49765	142.250.184.206	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:58 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1405 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:25:58 UTC	1405	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 35 37 33 37 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882757377",null,null,null
2024-10-02 15:25:59 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:25:59 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:25:59 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:25:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49766	142.250.184.206	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:59 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1222 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:25:59 UTC	1222	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 35 38 33 33 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882758330",null,null,null
2024-10-02 15:26:00 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:26:00 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:26:00 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:26:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49769	142.250.184.206	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:26:29 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1390 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:26:29 UTC	1390	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 38 37 35 37 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882787579",null,null,null
2024-10-02 15:26:29 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:26:29 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:26:29 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:26:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49770	142.250.184.206	443	4220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:26:32 UTC	1338	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1334 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=mLe9fco1sRDxoo9lNK9wSvF5FkESYolY3CAo9LaFt45JopZtkBKVkzBw7z0zS71fEs4SLJCXzfZL26HuoVFs_IokdwIiiXyl2wqSMnxYnSetKNRyqG4js6gMujKhpC7eb-3qP9__C8EBRHaQnCWEearpYcJ6LUlmHepNL__-bCiNb8Rv2HDKrF4Un44
2024-10-02 15:26:32 UTC	1334	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 32 37 39 31 33 34 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727882791345",null,null,null
2024-10-02 15:26:33 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 15:26:32 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 15:26:33 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 15:26:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:24:43
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x750000
File size:	918'528 bytes
MD5 hash:	EAB946495E838F5895A34747E727374F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:24:43
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:24:44
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:24:56
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5604 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:24:56
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1948,i,14814395722568013072,14306919227150370928,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1547
Total number of Limit Nodes:	42

Executed Functions

Function 007542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0075430D

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

GetCurrentProcess.KERNEL32(?,007ECB64,00000000,?,?), ref: 00754422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00754429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00754454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00754466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00754474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0075447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007544A0

Strings

kernel32.dll, xrefs: 0075444F
GetNativeSystemInfo, xrefs: 00754460
|O, xrefs: 007936F8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 5bc39fbc5376f566e8f28d468520797afb9c54eff764f2d05e05914239142634
Instruction ID: 3501568022326f5b349c281288f642b50b5b2799746adce59e498fd0bff04c9c
Opcode Fuzzy Hash: 5bc39fbc5376f566e8f28d468520797afb9c54eff764f2d05e05914239142634
Instruction Fuzzy Hash: C6A1B46690A2C0CFCF32C7697C8D1D67FA67B36304B34D499D84197B21D27C464ACB61

Function 007542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007550AA,?,?,00000000,00000000), ref: 007542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007550AA,?,?,00000000,00000000), ref: 007542C9
LoadResource.KERNEL32(?,00000000,?,?,007550AA,?,?,00000000,00000000,?,?,?,?,?,?,00754F20), ref: 007935BE
SizeofResource.KERNEL32(?,00000000,?,?,007550AA,?,?,00000000,00000000,?,?,?,?,?,?,00754F20), ref: 007935D3
LockResource.KERNEL32(007550AA,?,?,007550AA,?,?,00000000,00000000,?,?,?,?,?,?,00754F20,?), ref: 007935E6

Strings

SCRIPT, xrefs: 007542BF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2a5b5518bfdb64e72cd7350262c18d569c6255e7697610cc62c2d7d158c25ea6
Instruction ID: 06919cd16b0b858cff93ce15a0dc501db77a28bb43a8b42ef84bbf4ae7fa87e2
Opcode Fuzzy Hash: 2a5b5518bfdb64e72cd7350262c18d569c6255e7697610cc62c2d7d158c25ea6
Instruction Fuzzy Hash: B511AC75201301BFDB228B65DC88F677BBDFBC9B56F108169B9028A250DBB5D8068620

Function 00792BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00752B6B

Part of subcall function 00753A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00821418,?,00752E7F,?,?,?,00000000), ref: 00753A78

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00812224), ref: 00792C10
ShellExecuteW.SHELL32(00000000,?,?,00812224), ref: 00792C17

Strings

runas, xrefs: 00792C0B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 799b9489933ef81a2b73f7e196cd6c83ca86989dc1c9e72d6df76573acedf6e5
Instruction ID: d15e3e9ad0dea59afdd4f127a84963c16e6c23f8e6304db8ed63fdfec1c2a79b
Opcode Fuzzy Hash: 799b9489933ef81a2b73f7e196cd6c83ca86989dc1c9e72d6df76573acedf6e5
Instruction Fuzzy Hash: 83112731204344EACB14FF60E8599EDBBA5EFA5342F44442CF946420A3DFAC894FC312

Function 007BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007BD501
Process32FirstW.KERNEL32(00000000,?), ref: 007BD50F
Process32NextW.KERNEL32(00000000,?), ref: 007BD52F
CloseHandle.KERNELBASE(00000000), ref: 007BD5DC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dbcb3dcfac2aa2352e43bd0e85555f6e711eb1a95b746b7d18682cde1d598b1e
Instruction ID: 271dcecc343ef5a033905f461a7e3f2995724b7d604158ae88c5650afaca4089
Opcode Fuzzy Hash: dbcb3dcfac2aa2352e43bd0e85555f6e711eb1a95b746b7d18682cde1d598b1e
Instruction Fuzzy Hash: 5F31A171008340DFD311EF54C885AEFBBE8EF99344F14092DF981871A1EB75A949CBA2

Function 007BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00795222), ref: 007BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 007BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 007BDBEE
FindClose.KERNEL32(00000000), ref: 007BDBFA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 309696a109b40d36418bd9ac77f850a10e511960962b56e9cb4850f4ff24b4ff
Instruction ID: 01540498b4cdde755c5e9d2f26dbddbefc601fdf6d0119bb58eec1cccbf85149
Opcode Fuzzy Hash: 309696a109b40d36418bd9ac77f850a10e511960962b56e9cb4850f4ff24b4ff
Instruction Fuzzy Hash: 25F0E5308119145B92316B7CAC4E9EA3B6CAE05338F108702F936C20F0FBB85D56C6E9

Function 00774CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007828E9,?,00774CBE,007828E9,008188B8,0000000C,00774E15,007828E9,00000002,00000000,?,007828E9), ref: 00774D09
TerminateProcess.KERNEL32(00000000,?,00774CBE,007828E9,008188B8,0000000C,00774E15,007828E9,00000002,00000000,?,007828E9), ref: 00774D10
ExitProcess.KERNEL32 ref: 00774D22

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7d9f37f127b087ca9723fcccad9734f8a068a616caf80ba2b927e3996b220811
Instruction ID: dffaa4c2d696493254c0eae6022f3f42e13454151a9a713728117c9d22a6fa1d
Opcode Fuzzy Hash: 7d9f37f127b087ca9723fcccad9734f8a068a616caf80ba2b927e3996b220811
Instruction Fuzzy Hash: 26E04631101188EFCF22AF68DD49A483B29EB45781B01C414FD588E122CB3DED42CB84

Function 007DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007DB1D4
_wcslen.LIBCMT ref: 007DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007DB236
_wcslen.LIBCMT ref: 007DB332

Part of subcall function 007C05A7: GetStdHandle.KERNEL32(000000F6), ref: 007C05C6

_wcslen.LIBCMT ref: 007DB34B
_wcslen.LIBCMT ref: 007DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007DB3B6
GetLastError.KERNEL32(00000000), ref: 007DB407
CloseHandle.KERNEL32(?), ref: 007DB439
CloseHandle.KERNEL32(00000000), ref: 007DB44A
CloseHandle.KERNEL32(00000000), ref: 007DB45C
CloseHandle.KERNEL32(00000000), ref: 007DB46E
CloseHandle.KERNEL32(?), ref: 007DB4E3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4f281cedd473a709d6087f9b8b7e13de7288c5b0125fdc2e09fb16a85900ea39
Instruction ID: 192b2cc12a44508248c7e967d86257a22361e608f9178be21e7ffce1c1ead379
Opcode Fuzzy Hash: 4f281cedd473a709d6087f9b8b7e13de7288c5b0125fdc2e09fb16a85900ea39
Instruction Fuzzy Hash: A0F19A31508340DFC714EF24C895B6ABBE0AF85314F19845EF8999B3A2DB79EC05CB92

Function 0075D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0075D807
timeGetTime.WINMM ref: 0075DA07
Sleep.KERNELBASE(0000000A), ref: 0075DBB1
Sleep.KERNEL32(0000000A), ref: 007A2B76
GetExitCodeProcess.KERNEL32(?,?), ref: 007A2C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 007A2C29
CloseHandle.KERNEL32(?), ref: 007A2C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 007A2CA9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: d0235b8ac55ebf6d387cfebd0e5ee3fd6d71f04c99cc88a2320884b98542b466
Instruction ID: e6332b54bf918e7550a8f1cc32ce400af0410ea903cf751e465a5c86ba767a14
Opcode Fuzzy Hash: d0235b8ac55ebf6d387cfebd0e5ee3fd6d71f04c99cc88a2320884b98542b466
Instruction Fuzzy Hash: E042D370608341DFD735CF24C888BEAB7A1FF86315F148619E85687292D7B8EC49CB92

Function 00752CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00752D07
RegisterClassExW.USER32(00000030), ref: 00752D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00752D42
InitCommonControlsEx.COMCTL32(?), ref: 00752D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00752D6F
LoadIconW.USER32(000000A9), ref: 00752D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00752D94

Strings

0, xrefs: 00752CE9
+, xrefs: 00752CF0
AutoIt v3 GUI, xrefs: 00752D23
TaskbarCreated, xrefs: 00752D37

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 834ea741607d7d47a2a295d9099020c7b0fc4f5f657463e65110d35a0dd50823
Instruction ID: 228cab5ad98b68e03197e22628342b72eb4e641c3ca87bdea8ca8be49a44811e
Opcode Fuzzy Hash: 834ea741607d7d47a2a295d9099020c7b0fc4f5f657463e65110d35a0dd50823
Instruction Fuzzy Hash: D621E4B5902348AFDF11DFA4EC89B9DBFB4FB08700F10811AE911AA2A0D7B95542CF95

Function 0079065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0079039A: CreateFileW.KERNELBASE(00000000,00000000,?,00790704,?,?,00000000,?,00790704,00000000,0000000C), ref: 007903B7

GetLastError.KERNEL32 ref: 0079076F
__dosmaperr.LIBCMT ref: 00790776
GetFileType.KERNELBASE(00000000), ref: 00790782
GetLastError.KERNEL32 ref: 0079078C
__dosmaperr.LIBCMT ref: 00790795
CloseHandle.KERNEL32(00000000), ref: 007907B5
CloseHandle.KERNEL32(?), ref: 007908FF
GetLastError.KERNEL32 ref: 00790931
__dosmaperr.LIBCMT ref: 00790938

Strings

H, xrefs: 007908BD

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2d89cd82a7fab67fec82dcc8822d917a2a97bec83ca85ad1abf8807ff04edc92
Instruction ID: e2e2d1f38a37f94747f8f7a1701a9e524d5c58bfb499e6c3ddcd4760669fe49d
Opcode Fuzzy Hash: 2d89cd82a7fab67fec82dcc8822d917a2a97bec83ca85ad1abf8807ff04edc92
Instruction Fuzzy Hash: ACA13836A241448FDF19EF68E895BAE7BA0AB06320F14415DF8159F3D2DB399C13CB91

Function 0075344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00753A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00821418,?,00752E7F,?,?,?,00000000), ref: 00753A78

Part of subcall function 00753357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00753379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0075356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0079318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007931CE
RegCloseKey.ADVAPI32(?), ref: 00793210
_wcslen.LIBCMT ref: 00793277
_wcslen.LIBCMT ref: 00793286

Strings

\, xrefs: 0079328C
\Include\, xrefs: 00753527
Include, xrefs: 00793184, 007931C5
Software\AutoIt v3\AutoIt, xrefs: 00753560

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: de1a66f9db77aa625a8b7600ee999a52e56f66b4e8a2731ff60da0dc9227ee46
Instruction ID: c47905f3f695a0e1ad3c119d6e4a5cb18ad035647a09d28edc6c1884d0342821
Opcode Fuzzy Hash: de1a66f9db77aa625a8b7600ee999a52e56f66b4e8a2731ff60da0dc9227ee46
Instruction Fuzzy Hash: D771A371405301EEC714EF65EC8989BBBE8FF88340F80852EF94587271EB789A49CB61

Function 00752B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00752B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00752B9D
LoadIconW.USER32(00000063), ref: 00752BB3
LoadIconW.USER32(000000A4), ref: 00752BC5
LoadIconW.USER32(000000A2), ref: 00752BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00752BEF
RegisterClassExW.USER32(?), ref: 00752C40

Part of subcall function 00752CD4: GetSysColorBrush.USER32(0000000F), ref: 00752D07
Part of subcall function 00752CD4: RegisterClassExW.USER32(00000030), ref: 00752D31
Part of subcall function 00752CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00752D42
Part of subcall function 00752CD4: InitCommonControlsEx.COMCTL32(?), ref: 00752D5F
Part of subcall function 00752CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00752D6F
Part of subcall function 00752CD4: LoadIconW.USER32(000000A9), ref: 00752D85
Part of subcall function 00752CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00752D94

Strings

#, xrefs: 00752C16
0, xrefs: 00752C0F
AutoIt v3, xrefs: 00752C2F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 54a5611e69d050a1f3317c854a6fa3423daebbed6c144ae1979d8b48deb96282
Instruction ID: 6774d5fe8d8bb73125bf11a2204ce4f77b7c9e8e569e41aec4d49b777adf3dca
Opcode Fuzzy Hash: 54a5611e69d050a1f3317c854a6fa3423daebbed6c144ae1979d8b48deb96282
Instruction Fuzzy Hash: 38213074D01354ABDF21DF95EC8DA997FB5FB1CB50F10802AE500A6760D3B90542CF94

Function 00753170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0075316A,?,?), ref: 007531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0075316A,?,?), ref: 00753204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00753227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0075316A,?,?), ref: 00753232
CreatePopupMenu.USER32 ref: 00753246
PostQuitMessage.USER32(00000000), ref: 00753267

Strings

TaskbarCreated, xrefs: 0075322D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6d5969265fa650ec2b2c47eae8331985c42910e9f7696191bf56dd26c5892d7e
Instruction ID: 8834d68e27fb53e58ac0d339adde0c27c48d07e2c84ee6db166e44fa2190235d
Opcode Fuzzy Hash: 6d5969265fa650ec2b2c47eae8331985c42910e9f7696191bf56dd26c5892d7e
Instruction Fuzzy Hash: 54416D34200A48B7DF256B78AC4DBF93A15F715382F548125FD01C62B1C7FC9A8A97A5

Function 00751410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00751459
CoUninitialize.COMBASE ref: 007514F8
UnregisterHotKey.USER32(?), ref: 007516DD
DestroyWindow.USER32(?), ref: 007924B9
FreeLibrary.KERNEL32(?), ref: 0079251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0079254B

Strings

close all, xrefs: 00751454

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c095646861bd6fab0e31d803f8530fc87f8f817cda861f6f5539c211c9aa04aa
Instruction ID: 6cc6b1692d3114844151fe162df6a1a84d63cff66dc736e0846fa412d797035f
Opcode Fuzzy Hash: c095646861bd6fab0e31d803f8530fc87f8f817cda861f6f5539c211c9aa04aa
Instruction Fuzzy Hash: C0D19E31702212DFDB19EF14D499B69F7A0BF08302F5541ADE84A6B262DB78AC27CF50

Function 00752C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00752C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00752CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00751CAD,?), ref: 00752CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00751CAD,?), ref: 00752CCF

Strings

edit, xrefs: 00752CAC
AutoIt v3, xrefs: 00752C89, 00752C8E, 00752C8F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 06d3348aad3267c52907754e1bd303aeb4c92e05cb0b89284b200bfd5d9d2f04
Instruction ID: ebe51461b0e92f3fd89b6bf9a2e1f477008d2e905ba08476fa5b7179f4e8a40a
Opcode Fuzzy Hash: 06d3348aad3267c52907754e1bd303aeb4c92e05cb0b89284b200bfd5d9d2f04
Instruction Fuzzy Hash: F3F03A795413D47AEB314713AC4CE772EBEE7DAF50B21802AF900A62A0C2791842DAB4

Function 00753B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00753B0F,SwapMouseButtons,00000004,?), ref: 00753B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00753B0F,SwapMouseButtons,00000004,?), ref: 00753B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00753B0F,SwapMouseButtons,00000004,?), ref: 00753B83

Strings

Control Panel\Mouse, xrefs: 00753B3E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4f022e39ff58e38a668a8c6fac64246be4317eb44cbd03615a44d9ff5366a1b8
Instruction ID: e819a46ce48a37338fc7b6149c373dde7bcc6dbda99c56c62866714c88e5d194
Opcode Fuzzy Hash: 4f022e39ff58e38a668a8c6fac64246be4317eb44cbd03615a44d9ff5366a1b8
Instruction Fuzzy Hash: 53115AB5511208FFDB21CFA4DC84AEEB7B8EF04781B108459F801D7120E2759F449764

Function 00753923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007933A2

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00753A04

Strings

Line: , xrefs: 007933EB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 82a8ccda92ffb05a4284e5df6a3f0cf47320bb8201011dd9b952f671a1a070d8
Instruction ID: b80077ace81595f357f510fa959002fd239dd5220543057b8f57fee7537533f7
Opcode Fuzzy Hash: 82a8ccda92ffb05a4284e5df6a3f0cf47320bb8201011dd9b952f671a1a070d8
Instruction Fuzzy Hash: BD31B471408304AACB21EB10DC4DBDBB7D8AB54755F10492AF999831A1DBBCA64DC7C2

Function 007510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00751BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00751BF4
Part of subcall function 00751BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00751BFC
Part of subcall function 00751BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00751C07
Part of subcall function 00751BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00751C12
Part of subcall function 00751BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00751C1A
Part of subcall function 00751BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00751C22

Part of subcall function 00751B4A: RegisterWindowMessageW.USER32(00000004,?,007512C4), ref: 00751BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0075136A
OleInitialize.OLE32 ref: 00751388
CloseHandle.KERNEL32(00000000,00000000), ref: 007924AB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 64f1fdf60b4a6e398f0a7702b755a272076b631ac1e61b551e73a74e8793662e
Instruction ID: 314f12c138b92e39bbeecd3c8a21c99eb69cfbf183187a1b50a5376fe6a90352
Opcode Fuzzy Hash: 64f1fdf60b4a6e398f0a7702b755a272076b631ac1e61b551e73a74e8793662e
Instruction Fuzzy Hash: B371D2B49012449ECFA4EF79AA8D6543AE1FBB8341374C2BAD90AC7261EB785447CF44

Function 007BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00753923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00753A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007BC259
KillTimer.USER32(?,00000001,?,?), ref: 007BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007BC270

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 136c7e77287b65040c524f9ff5c97d02289b10fed1284660dfc6168a206f175c
Instruction ID: 341d6234d292f01859c2cd07948f01e329f02d9414d449bcb7f07f22e96ae9cf
Opcode Fuzzy Hash: 136c7e77287b65040c524f9ff5c97d02289b10fed1284660dfc6168a206f175c
Instruction Fuzzy Hash: 7731A970904384AFEB33DF648899BE7BBECAF16304F00849DD6D997241C7785A85CB55

Function 007886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007885CC,?,00818CC8,0000000C), ref: 00788704
GetLastError.KERNEL32(?,007885CC,?,00818CC8,0000000C), ref: 0078870E
__dosmaperr.LIBCMT ref: 00788739

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 7ae2198899b9ed061e123c4986f008598225e17efb6036a4d95bd569c74df768
Instruction ID: 58331065b6a28b881ef783c9b89459a6ab187f6be46f3fab21a67e6a4d34f87b
Opcode Fuzzy Hash: 7ae2198899b9ed061e123c4986f008598225e17efb6036a4d95bd569c74df768
Instruction Fuzzy Hash: 1B018936BC526066C6B17334A849B7E27594B82778F790119F8188B0D3EEBDDC828392

Function 0075DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0075DB7B
DispatchMessageW.USER32(?), ref: 0075DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0075DB9F
Sleep.KERNELBASE(0000000A), ref: 0075DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 007A1CC9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e574d0a9eb370f3c553d5eccb4fb1c118d5ffbd5115e48b9abe2084594b41aa9
Instruction ID: be9f8beab49432b41dc9fcb68525eb182b56ef2344a2c5e7eb7482b95e5d19a9
Opcode Fuzzy Hash: e574d0a9eb370f3c553d5eccb4fb1c118d5ffbd5115e48b9abe2084594b41aa9
Instruction Fuzzy Hash: 23F054706053809BEB30C7A08C89FDA73A9FB89311F508628EA0AC70C0DB7894898B25

Function 00761310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007617F6

Strings

CALL, xrefs: 007617C6

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 10cbc8c378623dbaeb5c0449215ca262c00bee970eb2aa4809bc62846dc295ea
Instruction ID: d9a943ef3d2c6136052cf95b10e43ebab8f2418d08ff65c273d44d885ae81b7f
Opcode Fuzzy Hash: 10cbc8c378623dbaeb5c0449215ca262c00bee970eb2aa4809bc62846dc295ea
Instruction Fuzzy Hash: 30228970608341DFC714DF24C488A2ABBF1BF89314F58896DF8968B262D779E855CB92

Function 00752DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00792C8C

Part of subcall function 00753AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00753A97,?,?,00752E7F,?,?,?,00000000), ref: 00753AC2

Part of subcall function 00752DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00752DC4

Strings

X, xrefs: 00792C5A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: cd1a1be14019801c5c3aa1a53b7385c8a0958ffdcac77341c9646cd14c6440cf
Instruction ID: 2b95ad5113d2499c0c1a6e4bf3c574bd9775587b8b7586791a9a5d6ecb483648
Opcode Fuzzy Hash: cd1a1be14019801c5c3aa1a53b7385c8a0958ffdcac77341c9646cd14c6440cf
Instruction Fuzzy Hash: AC21A471A002989ADF01EF94D8497EE7BBDAF49305F008059E905A7241EBF85A8D8B61

Function 00753837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00753908

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a81a673fce1ca36f3a8c6eace89ab6af90e76078b7c9e0989f3c8fed4cd656cc
Instruction ID: 1e028de2e82615ebdfd795550348fd5be370ca8dca9cb255b76c1dcf7ab0539c
Opcode Fuzzy Hash: a81a673fce1ca36f3a8c6eace89ab6af90e76078b7c9e0989f3c8fed4cd656cc
Instruction Fuzzy Hash: 53319CB05043008FD721DF24D8887D7BBE8FB49349F00092EF99987250E7B9AA48CB52

Function 0076F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0076F661

Part of subcall function 0075D730: GetInputState.USER32 ref: 0075D807

Sleep.KERNEL32(00000000), ref: 007AF2DE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 2add94ff1974dad872e01aa0f506338ca89c8200cc284ff9d973efa7dd5ebaa2
Instruction ID: 4732e459ce67cb5863bffdd518f73bd501091755f783bdd74eb8e19ac768fe89
Opcode Fuzzy Hash: 2add94ff1974dad872e01aa0f506338ca89c8200cc284ff9d973efa7dd5ebaa2
Instruction Fuzzy Hash: 1BF082352402459FD314EF75D449BAAB7E4FF49761F004029EC59C7260DBB4AC04CB94

Function 00754ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00754E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00754EDD,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E9C
Part of subcall function 00754E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754EAE
Part of subcall function 00754E90: FreeLibrary.KERNEL32(00000000,?,?,00754EDD,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754EFD

Part of subcall function 00754E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00793CDE,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E62
Part of subcall function 00754E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754E74
Part of subcall function 00754E59: FreeLibrary.KERNEL32(00000000,?,?,00793CDE,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E87

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b535677a560c72a91f9bdce758b31ab8abaf6b754a24a7b84adbef1f4b30a1e1
Instruction ID: 58f012fdd1e6510ebd01548841dc8a008ae3e6b0e3124c482410c5e3bcd2ebd8
Opcode Fuzzy Hash: b535677a560c72a91f9bdce758b31ab8abaf6b754a24a7b84adbef1f4b30a1e1
Instruction Fuzzy Hash: 29112731600209EBCF10AB64DC0BFED77A4AF44716F10842DF942AA1C1EEB89A899B50

Function 00788402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00788440

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0161520777b306bb543ec8c78779114a7041b26e31492c0cce748081626a0dd6
Instruction ID: aa6cbd23b521d8bb2b7ff5adc38aff3754b4d25e6681fc197cbbb3bfc3097184
Opcode Fuzzy Hash: 0161520777b306bb543ec8c78779114a7041b26e31492c0cce748081626a0dd6
Instruction Fuzzy Hash: DA11187690410AAFCF15DF58E94599A7BF5EF48314F104059FC08AB312DB31EA11CBA5

Function 00785000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00784C7D: RtlAllocateHeap.NTDLL(00000008,00751129,00000000,?,00782E29,00000001,00000364,?,?,?,0077F2DE,00783863,00821444,?,0076FDF5,?), ref: 00784CBE

_free.LIBCMT ref: 0078506C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 52ea57b1cfd54c095445776416f75f8d8a1fb5d5309ac6e2078429af970d17f8
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 76016D72244705ABE331DF69D885A9AFBECFB89370F25061DE184932C0EB74A805C7B4

Function 007E29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,007E14B5,?), ref: 007E2A01

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 56fdf20b2ac2b8e6f954ac59947181f1b4d1981eaeabc5c7e4d79e1591f674af
Instruction ID: e64dac1640a103d52c1aa544268c06dca91f92dff7025468b5dc13faaaaec5ef
Opcode Fuzzy Hash: 56fdf20b2ac2b8e6f954ac59947181f1b4d1981eaeabc5c7e4d79e1591f674af
Instruction Fuzzy Hash: B40192363056C19FD3258A2EC454B26379AEB8D314F29C468D4479B253DB3AFC43C790

Function 0077E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ab6b52017936f087cb9c00e6e1cfbf9357190b5dd64d552efc9e1b1f85c3a823
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 18F02D32610A10E6CF313A658C0DB5A33AC9F563B5F108755F529D31D2DB7CE80287A6

Function 007E149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 007E14EB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ca34662cee1f9e912acf103a8656fea4df3c2ab97a575cbacb7595ede351ccaf
Instruction ID: 3c7551be89c1f5573b27ec910cd226e2d5ad3d474e15b41725f7fb20aeeb8dfc
Opcode Fuzzy Hash: ca34662cee1f9e912acf103a8656fea4df3c2ab97a575cbacb7595ede351ccaf
Instruction Fuzzy Hash: F801D4353067C19FD321CF6AC441826BB95FF89324794C069E84ACF782D676DD82C780

Function 00784C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00751129,00000000,?,00782E29,00000001,00000364,?,?,?,0077F2DE,00783863,00821444,?,0076FDF5,?), ref: 00784CBE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9332a6756a78db3a1e184c6f32e01a13e975f21dbed766ef99fe7f1ff8393197
Instruction ID: 09ef5391340551c6f0a33da793f36abf43ea034c6418cdb404c7bf8be91022ab
Opcode Fuzzy Hash: 9332a6756a78db3a1e184c6f32e01a13e975f21dbed766ef99fe7f1ff8393197
Instruction Fuzzy Hash: 33F0B432682226A7DF317F629C0DB5A778CBF417B0B148115F819AA281CBBCD80147B0

Function 00783820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6,?,00751129), ref: 00783852

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb622a1f187898edf77ea4e1d7c474352cad7e80c8a60a1bc616a29910bcc138
Instruction ID: 100a35df0c4f151343f3d1f7046e9e78e9422a71a9ff07e0216d5d0660711862
Opcode Fuzzy Hash: bb622a1f187898edf77ea4e1d7c474352cad7e80c8a60a1bc616a29910bcc138
Instruction Fuzzy Hash: C2E065322812249BEA31376E9C0AB9A3649AB42FF0F154126FC19E6591DB6DDD0183F1

Function 00754F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754F6D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6fca95160a5212ab046cb657fd8bcf3e6347c06b9038f449db0c1239213a24fa
Instruction ID: 55887182ceabea700c7e4753fbf2673976ec10fdeae2fab610f7bb2ac22042f0
Opcode Fuzzy Hash: 6fca95160a5212ab046cb657fd8bcf3e6347c06b9038f449db0c1239213a24fa
Instruction Fuzzy Hash: 21F0A070005341CFCB348F28D490892B7F0AF0431E328897EE5DA82550C7799888DF10

Function 007E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007E2A66

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 067199d785299ee0d4b2b12a4645caf23daaa7c9aa5e5447715ecd9b1810272f
Instruction ID: 650e4c9a005dddb9eaf325eab078a8a1d9576002998a773b41a242ee8f06c526
Opcode Fuzzy Hash: 067199d785299ee0d4b2b12a4645caf23daaa7c9aa5e5447715ecd9b1810272f
Instruction Fuzzy Hash: 83E0263634215AEAC710EB31EC849FE734CEF18399710853AFC1AC2102DB3C9D8286E0

Function 007530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0075314E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d5a68aa87d4372add870b702910889bf4ca6b6d3c018f79ecb24365fce216c7d
Instruction ID: e7707ce75cb0e816619b4577710e96f872ae496c4fbbbbb4aa9a7c25d09024c6
Opcode Fuzzy Hash: d5a68aa87d4372add870b702910889bf4ca6b6d3c018f79ecb24365fce216c7d
Instruction Fuzzy Hash: F9F0A7709003489FEB63DB24DC4D7D57BBCB701708F1040E5A54896292D7784789CF45

Function 00752DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00752DC4

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5a0f4f5468068aa2b2eb0d3064fa868232666ef04ca96f1b2667c63185387169
Instruction ID: 1641fa37f07c376f256e4db9dfb3c30664c4f6672e45e2633674374fb480e490
Opcode Fuzzy Hash: 5a0f4f5468068aa2b2eb0d3064fa868232666ef04ca96f1b2667c63185387169
Instruction Fuzzy Hash: 3DE0CD766011245BCB1192589C0AFEA77DDDFC8790F044071FD09D7248D974AD848550

Function 00752B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00753837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00753908

Part of subcall function 0075D730: GetInputState.USER32 ref: 0075D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00752B6B

Part of subcall function 007530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0075314E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 463cf991312a7c4e98ce456c7176ee0a9c16f7e2a4d1c723ef39f73a8ce299ff
Instruction ID: 4dee1d8d6df9031d209c3edd8faf09f261de939b24d77c7c4ed989b5eaa025c2
Opcode Fuzzy Hash: 463cf991312a7c4e98ce456c7176ee0a9c16f7e2a4d1c723ef39f73a8ce299ff
Instruction Fuzzy Hash: 41E0202130034482CA187770585D4EDA75A9BD5353F40043DF94683173DE9C494E8251

Function 0079039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00790704,?,?,00000000,?,00790704,00000000,0000000C), ref: 007903B7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d15fcae0aa8da87533f0f0f44f3ff0a8b696ecc8523ba6add0c0b36fe487bee
Instruction ID: 1bd064f35b88332ce1222f13d2be1686db181d6da6341521b95e4467a7e9b95e
Opcode Fuzzy Hash: 1d15fcae0aa8da87533f0f0f44f3ff0a8b696ecc8523ba6add0c0b36fe487bee
Instruction Fuzzy Hash: 9CD06C3204014DBBDF028F84DD46EDA3FAAFB4C714F018000BE1856020C736E822AB95

Function 00751CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00751CBC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 671a9e679e9a36600a9f74cafb607628d4fd5bcfc7b31dda000a90ee7d771c6c
Instruction ID: fd61846069430a954e5ba3f256ec634485e1bb9fad3ee6c0e4066c4cb8974138
Opcode Fuzzy Hash: 671a9e679e9a36600a9f74cafb607628d4fd5bcfc7b31dda000a90ee7d771c6c
Instruction Fuzzy Hash: 5AC09B35280344BFF6258780BD4EF107755B35CB00F14C001F609595E3C3A51431D654

Non-executed Functions

Function 007E9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007E96C9
SendMessageW.USER32 ref: 007E96F2
GetKeyState.USER32(00000011), ref: 007E978B
GetKeyState.USER32(00000009), ref: 007E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007E97AE
GetKeyState.USER32(00000010), ref: 007E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007E97E9
SendMessageW.USER32 ref: 007E9810
SendMessageW.USER32(?,00001030,?,007E7E95), ref: 007E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007E9941
SetCapture.USER32(?), ref: 007E994A
ClientToScreen.USER32(?,?), ref: 007E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007E99D6
ReleaseCapture.USER32 ref: 007E99E1
GetCursorPos.USER32(?), ref: 007E9A19
ScreenToClient.USER32(?,?), ref: 007E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007E9A80
SendMessageW.USER32 ref: 007E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007E9AEB
SendMessageW.USER32 ref: 007E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007E9B4A
GetCursorPos.USER32(?), ref: 007E9B68
ScreenToClient.USER32(?,?), ref: 007E9B75
GetParent.USER32(?), ref: 007E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007E9BFA
SendMessageW.USER32 ref: 007E9C2B
ClientToScreen.USER32(?,?), ref: 007E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007E9CDE
SendMessageW.USER32 ref: 007E9D01
ClientToScreen.USER32(?,?), ref: 007E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007E9D82

Part of subcall function 00769944: GetWindowLongW.USER32(?,000000EB), ref: 00769952

GetWindowLongW.USER32(?,000000F0), ref: 007E9E05

Strings

F, xrefs: 007E9D07
@GUI_DRAGID, xrefs: 007E997D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: f5417c254a2d5204a2001db58f68b4b0eb2ea57b71fc887d626071b47b8bf8e3
Instruction ID: 0c7dbfc9f8a0a1e970a21f4a5d7d1066682ee4b029c94a37eb40ee0c5780bc37
Opcode Fuzzy Hash: f5417c254a2d5204a2001db58f68b4b0eb2ea57b71fc887d626071b47b8bf8e3
Instruction Fuzzy Hash: C142AF36206280EFDB21CF25CC88AAABBF5FF4D310F10455AFA59872A1D739AC55CB51

Function 007E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007E4A7E
IsMenu.USER32(?), ref: 007E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007E4B20
GetWindowLongW.USER32(?,000000F0), ref: 007E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007E4C82
wsprintfW.USER32 ref: 007E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007E4D5A

Strings

%d/%02d/%02d, xrefs: 007E4CA8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2e0b708a7fe6f5850f4b2e9a57729235bbf821d2e8627bb59845588314de9280
Instruction ID: 56edf8b03047386332aa109633d1f6c94fffdf7bdf6b73043dd07cb3d81baf31
Opcode Fuzzy Hash: 2e0b708a7fe6f5850f4b2e9a57729235bbf821d2e8627bb59845588314de9280
Instruction Fuzzy Hash: 80120131A02284ABEB258F29CC49FAE7BF8FF48710F144169F916DB2E1D7789941CB50

Function 0076F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0076F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007AF474
IsIconic.USER32(00000000), ref: 007AF47D
ShowWindow.USER32(00000000,00000009), ref: 007AF48A
SetForegroundWindow.USER32(00000000), ref: 007AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007AF4AA
GetCurrentThreadId.KERNEL32 ref: 007AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 007AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 007AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 007AF4DE
SetForegroundWindow.USER32(00000000), ref: 007AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AF4F6
keybd_event.USER32(00000012,00000000), ref: 007AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AF50B
keybd_event.USER32(00000012,00000000), ref: 007AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AF519
keybd_event.USER32(00000012,00000000), ref: 007AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 007AF528
keybd_event.USER32(00000012,00000000), ref: 007AF52D
SetForegroundWindow.USER32(00000000), ref: 007AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 007AF557

Strings

Shell_TrayWnd, xrefs: 007AF46F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f15521922abd8bb6e440b073299804411b09f0aced1dd61f43f1f44045fae90c
Instruction ID: ed3f0428835e96e67d8c531c830633fd998b4ef1051d27d44a0014dd2d87495a
Opcode Fuzzy Hash: f15521922abd8bb6e440b073299804411b09f0aced1dd61f43f1f44045fae90c
Instruction Fuzzy Hash: 8831C875A413587FEB216BF54C8AFBF7E6CEB88B50F204025FA00EA1D1C6B45D11AE64

Function 007B1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007B170D
Part of subcall function 007B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007B173A
Part of subcall function 007B16C3: GetLastError.KERNEL32 ref: 007B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 007B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007B12A8
CloseHandle.KERNEL32(?), ref: 007B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007B12D1
GetProcessWindowStation.USER32 ref: 007B12EA
SetProcessWindowStation.USER32(00000000), ref: 007B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007B1310

Part of subcall function 007B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007B11FC), ref: 007B10D4
Part of subcall function 007B10BF: CloseHandle.KERNEL32(?,?,007B11FC), ref: 007B10E9

Strings

default, xrefs: 007B130B
winsta0, xrefs: 007B12CC
, xrefs: 007B125A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 21d496f0e7a2b1085ca9018823ccfcdd0a60e9271d1a179cab7c553011ab0228
Instruction ID: d8e4853b413f6ba310f83994e68f3442121441f61b975cd7af81c2a3fb8853f3
Opcode Fuzzy Hash: 21d496f0e7a2b1085ca9018823ccfcdd0a60e9271d1a179cab7c553011ab0228
Instruction Fuzzy Hash: 27819E71900288AFDF219FA4DC99FEF7BB9EF08704F548129F910E61A0DB398945CB64

Function 007B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007B1114
Part of subcall function 007B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1120
Part of subcall function 007B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B112F
Part of subcall function 007B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1136
Part of subcall function 007B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007B0C00
GetLengthSid.ADVAPI32(?), ref: 007B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 007B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007B0C6D
GetLengthSid.ADVAPI32(?), ref: 007B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007B0C8C
HeapAlloc.KERNEL32(00000000), ref: 007B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007B0CB4
CopySid.ADVAPI32(00000000), ref: 007B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0D45
HeapFree.KERNEL32(00000000), ref: 007B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0D55
HeapFree.KERNEL32(00000000), ref: 007B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0D65
HeapFree.KERNEL32(00000000), ref: 007B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 007B0D78
HeapFree.KERNEL32(00000000), ref: 007B0D7F

Part of subcall function 007B1193: GetProcessHeap.KERNEL32(00000008,007B0BB1,?,00000000,?,007B0BB1,?), ref: 007B11A1
Part of subcall function 007B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007B0BB1,?), ref: 007B11A8
Part of subcall function 007B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007B0BB1,?), ref: 007B11B7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 55a03ef2958ca175ee58d3b956b38ed64774aa2a0a221d42d908147544bbe68e
Instruction ID: e6a9f4f2531d40cd996c91387e86e659e2dbf605d6144e2eca46b9b5becbe05f
Opcode Fuzzy Hash: 55a03ef2958ca175ee58d3b956b38ed64774aa2a0a221d42d908147544bbe68e
Instruction Fuzzy Hash: BF717075A0120AABDF11DFA4DC89FEFBBB8BF08300F048515E915AB191D779A905CBA0

Function 007CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007ECC08), ref: 007CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 007CEB37
GetClipboardData.USER32(0000000D), ref: 007CEB43
CloseClipboard.USER32 ref: 007CEB4F
GlobalLock.KERNEL32(00000000), ref: 007CEB87
CloseClipboard.USER32 ref: 007CEB91
GlobalUnlock.KERNEL32(00000000), ref: 007CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 007CEBC9
GetClipboardData.USER32(00000001), ref: 007CEBD1
GlobalLock.KERNEL32(00000000), ref: 007CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 007CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 007CEC38
GetClipboardData.USER32(0000000F), ref: 007CEC44
GlobalLock.KERNEL32(00000000), ref: 007CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 007CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007CECD2
GlobalUnlock.KERNEL32(00000000), ref: 007CECF3
CountClipboardFormats.USER32 ref: 007CED14
CloseClipboard.USER32 ref: 007CED59

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f7b9d338dc43215c7c4c2e46c5afcb05550145ba0eeca2857bc5342f9c0e288c
Instruction ID: 1ce2ae90d723882b0914c6a3a5902d1ae9803b40e002aee8d58db40aa3647a13
Opcode Fuzzy Hash: f7b9d338dc43215c7c4c2e46c5afcb05550145ba0eeca2857bc5342f9c0e288c
Instruction Fuzzy Hash: 1F61D2742043419FD311EF24C889F7A7BA4AF88714F14851DF9568B2A2DB79ED0ACB62

Function 007C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007C69BE
FindClose.KERNEL32(00000000), ref: 007C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007C6A75

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 007C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 007C6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007C6B6A
%03d, xrefs: 007C6DA2
%4d, xrefs: 007C6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 007C6B32
%02d, xrefs: 007C6C00, 007C6C0A, 007C6C5A, 007C6CAA, 007C6CFA, 007C6D4A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c184d124e45bab688bc1c51f34af955c86553e4780a215ee68b133267f65c18c
Instruction ID: eb4271db9956203af404a5e0d3dedb985f4de79fe325351696d663d521524454
Opcode Fuzzy Hash: c184d124e45bab688bc1c51f34af955c86553e4780a215ee68b133267f65c18c
Instruction Fuzzy Hash: F6D140B2508340DEC314DB64D885EABB7ECBF88705F44491DF989D7191EB78DA48C762

Function 007C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007C9663
GetFileAttributesW.KERNEL32(?), ref: 007C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 007C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 007C96D3
FindClose.KERNEL32(00000000), ref: 007C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 007C974A
SetCurrentDirectoryW.KERNEL32(00816B7C), ref: 007C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 007C9772
FindClose.KERNEL32(00000000), ref: 007C977F
FindClose.KERNEL32(00000000), ref: 007C978F

Strings

*.*, xrefs: 007C96F5

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 4d854cd9f2fac614665dfee608ee428bc5828ea8b7ee0670e1f01a42bccda1e4
Instruction ID: 14ad40fc66d8a5367778c87ae0894ad9b6f4849ab7051204f1bd8bf0a66b259f
Opcode Fuzzy Hash: 4d854cd9f2fac614665dfee608ee428bc5828ea8b7ee0670e1f01a42bccda1e4
Instruction Fuzzy Hash: 2231D076542249AADF11AFB4DC4DEDE77ACAF09320F10805DEA14E61A0EB7CDD818A24

Function 007C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 007C9819
FindClose.KERNEL32(00000000), ref: 007C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 007C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 007C9890
SetCurrentDirectoryW.KERNEL32(00816B7C), ref: 007C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007C98B8
FindClose.KERNEL32(00000000), ref: 007C98C5
FindClose.KERNEL32(00000000), ref: 007C98D5

Part of subcall function 007BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007BDB00

Strings

*.*, xrefs: 007C983B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f6be6ac77cbe95aec36378b0bf6b205ed4baff78a3e9ed8cd9e929a9350e3ec1
Instruction ID: 6654c47527523eb9d4fe053dde2c31940a11b8ddce4dad06c764800f4e8ab9b8
Opcode Fuzzy Hash: f6be6ac77cbe95aec36378b0bf6b205ed4baff78a3e9ed8cd9e929a9350e3ec1
Instruction Fuzzy Hash: 2D31E332501659AADF10AFB4DC4DFDE37ACAF0A320F10815DEA54E31E0DB79DE858A24

Function 007DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007DB6AE,?,?), ref: 007DC9B5
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DC9F1
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA68
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 007DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007DC382
RegCloseKey.ADVAPI32(00000000), ref: 007DC38F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3f7c435a4f8f9a9ac93b5974baefd46e75ce20c2f9b6426e451ba2d807eaaff7
Instruction ID: 6a5e1775117ea4e3b451accb1bff292382f10519d814fde9f99387e68df32ea8
Opcode Fuzzy Hash: 3f7c435a4f8f9a9ac93b5974baefd46e75ce20c2f9b6426e451ba2d807eaaff7
Instruction Fuzzy Hash: ED025B71604201DFD715DF28C895E2ABBF5AF49318F18849DF84A8B3A2DB35EC45CB52

Function 007C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 007C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 007C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 007C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 007C8395

Strings

*.*, xrefs: 007C839B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 516ebda34ca389f4c6295aa4ec13990bbc9d138ed9e86cfe6cd32252e473038e
Instruction ID: 165c597b4e65f7aa0a8c8c2ea7b37215d7ae0c1d8eff804f1727b022bbd941ea
Opcode Fuzzy Hash: 516ebda34ca389f4c6295aa4ec13990bbc9d138ed9e86cfe6cd32252e473038e
Instruction Fuzzy Hash: E4615D725043459FCB10DF64C844EAEB3E8FF89311F04891EF99997251EB39E949CB92

Function 007BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00753AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00753A97,?,?,00752E7F,?,?,?,00000000), ref: 00753AC2

Part of subcall function 007BE199: GetFileAttributesW.KERNEL32(?,007BCF95), ref: 007BE19A

FindFirstFileW.KERNEL32(?,?), ref: 007BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 007BD1DD
MoveFileW.KERNEL32(?,?), ref: 007BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 007BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 007BD237

Part of subcall function 007BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007BD21C,?,?), ref: 007BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 007BD253
FindClose.KERNEL32(00000000), ref: 007BD264

Strings

\*.*, xrefs: 007BD0CD, 007BD0D6, 007BD0EB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3f72e0d59bf411cfe0a33b15d26d605709a8368e8ec13ba0e85ad604551d5462
Instruction ID: 2c9a596987fa13e89f50f70c478b5c8b3540c174c9d74a6611d34c5245d83e58
Opcode Fuzzy Hash: 3f72e0d59bf411cfe0a33b15d26d605709a8368e8ec13ba0e85ad604551d5462
Instruction Fuzzy Hash: 90615D3180114DEBDF15EBE0C996AEDB7B9AF15301F248165E80677192EB78AF09CB60

Function 007CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007CED91
EmptyClipboard.USER32 ref: 007CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 007CEDAC
CloseClipboard.USER32 ref: 007CEEA3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ad844c635dbd61a040d188eed0e6fd0c546aefcbdff2e8d183c4f1a0bb7e5da0
Instruction ID: 167ef58221109f15b3f8b3cfcda1af3103a2288aa27cea5d0ae87fe96059fc9d
Opcode Fuzzy Hash: ad844c635dbd61a040d188eed0e6fd0c546aefcbdff2e8d183c4f1a0bb7e5da0
Instruction Fuzzy Hash: D041AB35205251AFE721DF15D888F1ABBA5FF48358F14C09DE8168F6A2C779EC42CB90

Function 007BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007B170D
Part of subcall function 007B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007B173A
Part of subcall function 007B16C3: GetLastError.KERNEL32 ref: 007B174A

ExitWindowsEx.USER32(?,00000000), ref: 007BE932

Strings

@, xrefs: 007BE925
SeShutdownPrivilege, xrefs: 007BE902
, xrefs: 007BE95C
, xrefs: 007BE920

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ff6f6ee2190596261109b31f95fc599ab5a2c1a3fa789552494f1a008645efdf
Instruction ID: 57181f6d4b05d0bc46e4a80fb2a5d9ab962357b4c11f9439a688574d6effd703
Opcode Fuzzy Hash: ff6f6ee2190596261109b31f95fc599ab5a2c1a3fa789552494f1a008645efdf
Instruction Fuzzy Hash: FE01F973610311EFEB5867B49C8AFFF729CAB18750F154422FD13E62D1D5AC6C488195

Function 007D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 007D1276
WSAGetLastError.WSOCK32 ref: 007D1283
bind.WSOCK32(00000000,?,00000010), ref: 007D12BA
WSAGetLastError.WSOCK32 ref: 007D12C5
closesocket.WSOCK32(00000000), ref: 007D12F4
listen.WSOCK32(00000000,00000005), ref: 007D1303
WSAGetLastError.WSOCK32 ref: 007D130D
closesocket.WSOCK32(00000000), ref: 007D133C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a54631c39dcbd92737c8713b44bbd4d8355d9396f68ba6c44b985232d6c98918
Instruction ID: 618f39de521197d8f50ef514884ba1e4c38aba3b62450d0f5931fcfb8a072a8e
Opcode Fuzzy Hash: a54631c39dcbd92737c8713b44bbd4d8355d9396f68ba6c44b985232d6c98918
Instruction Fuzzy Hash: 1C419E35600240AFD714DF64C588B69BBF5BF4A318F588089E8568F392C779EC86CBE1

Function 0078B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0078B9D4
_free.LIBCMT ref: 0078B9F8
_free.LIBCMT ref: 0078BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007F3700), ref: 0078BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0082121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0078BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00821270,000000FF,?,0000003F,00000000,?), ref: 0078BC36
_free.LIBCMT ref: 0078BD4B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 13800b156610824cbaffd3004492036a284d2b57fb6053ffb4b0163f9928903e
Instruction ID: 2386444813b75746885c900020a7d80712e340d09ecea78eb9c22248ad96ed5c
Opcode Fuzzy Hash: 13800b156610824cbaffd3004492036a284d2b57fb6053ffb4b0163f9928903e
Instruction Fuzzy Hash: 2DC14A71984205EFCB24FF788C45BAE7BB9EF55310F2481AAE494D7252E7389E42C750

Function 007BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00753AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00753A97,?,?,00752E7F,?,?,?,00000000), ref: 00753AC2

Part of subcall function 007BE199: GetFileAttributesW.KERNEL32(?,007BCF95), ref: 007BE19A

FindFirstFileW.KERNEL32(?,?), ref: 007BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 007BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 007BD481
FindClose.KERNEL32(00000000), ref: 007BD498
FindClose.KERNEL32(00000000), ref: 007BD4A1

Strings

\*.*, xrefs: 007BD3F2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 64c354720c9a744d86fe78bb622c8484f4cb2d0e21e7519ff08ae5f5b305e2b9
Instruction ID: 8922bfdaf5c63d7854f00fd24c722f224e0eb86da23e0c7be870b39a67c8b8a6
Opcode Fuzzy Hash: 64c354720c9a744d86fe78bb622c8484f4cb2d0e21e7519ff08ae5f5b305e2b9
Instruction Fuzzy Hash: 67318D31008385EBC211EF64C8969EFB7E8BE95315F404A2DF8D593191EB68AE0D8763

Function 0078E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0078E645

Strings

1#QNAN, xrefs: 0078F84B
1#SNAN, xrefs: 0078F844
1#INF, xrefs: 0078F852
1#IND, xrefs: 0078F83D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4ebd1a1bf43fa42f95a5da3f8715ba29458c83af05658b211cde915e495b97c8
Instruction ID: d2800e5ca9e52a624943c9904d83d563ce8793407eaad1adbb44f0008bb1348c
Opcode Fuzzy Hash: 4ebd1a1bf43fa42f95a5da3f8715ba29458c83af05658b211cde915e495b97c8
Instruction Fuzzy Hash: 7DC24A72E486288FDF25EE28DD447EAB7B5EB48314F1441EAD44DE7241E778AE818F40

Function 007C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C64DC
CoInitialize.OLE32(00000000), ref: 007C6639
CoCreateInstance.OLE32(007EFCF8,00000000,00000001,007EFB68,?), ref: 007C6650
CoUninitialize.OLE32 ref: 007C68D4

Strings

.lnk, xrefs: 007C64BA, 007C6524, 007C65E0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 238dac6a25d27832f60cadbd98e2d6c562040131d5385a296f779699e91ffbd8
Instruction ID: 6b628b0f27d63cc250a649f6f24808c82c635e6c97154c6d53c28f31e5a3cc98
Opcode Fuzzy Hash: 238dac6a25d27832f60cadbd98e2d6c562040131d5385a296f779699e91ffbd8
Instruction Fuzzy Hash: 41D14871508201AFD304DF24D885EABB7E8FF98705F10496DF9958B291EB74ED09CBA2

Function 007D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007D22E8

Part of subcall function 007CE4EC: GetWindowRect.USER32(?,?), ref: 007CE504

GetDesktopWindow.USER32 ref: 007D2312
GetWindowRect.USER32(00000000), ref: 007D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007D2355
GetCursorPos.USER32(?), ref: 007D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007D23DF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 6f27dea4a767ef74e7b57f4a729cef5f59b65b4b1fb532a2c697a5f7fefd5751
Instruction ID: e688a18f0af5f4fcf22dd12057249db23e1d0a3c9b17684c5400c1012c33588a
Opcode Fuzzy Hash: 6f27dea4a767ef74e7b57f4a729cef5f59b65b4b1fb532a2c697a5f7fefd5751
Instruction Fuzzy Hash: 2A31E572505355AFC721DF14C849F9BB7A9FF88310F00091EF9959B281DB38E90ACB96

Function 007C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 007C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007C9C8B

Part of subcall function 007C3874: GetInputState.USER32 ref: 007C38CB
Part of subcall function 007C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007C9C75

Strings

*.*, xrefs: 007C9B5D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 22733bba476398b7c7184d248f3474f708dee6ef39246d2d0ebbf0d5f2190f3e
Instruction ID: 66ceccba400c7cc3292e2335977c5f7a5fb54677eb465b2f46ac550ce38d748e
Opcode Fuzzy Hash: 22733bba476398b7c7184d248f3474f708dee6ef39246d2d0ebbf0d5f2190f3e
Instruction Fuzzy Hash: 59418E7190020AEBCF55DF64C889FEEBBB8FF09311F20405DE905A2191EB789E84CB64

Function 0076997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00769A4E
GetSysColor.USER32(0000000F), ref: 00769B23
SetBkColor.GDI32(?,00000000), ref: 00769B36

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9a1172fbc140a6e1393e300a62f751332bc8a2285e1de851c691db5ac5e5065c
Instruction ID: 1f0bdeafaba74d48d58050c20fb0135fa073b7687dd2eb440a5836c2e8f3e07b
Opcode Fuzzy Hash: 9a1172fbc140a6e1393e300a62f751332bc8a2285e1de851c691db5ac5e5065c
Instruction Fuzzy Hash: 36A13BB1109544FEE7299A7D8C9DE7B2ADDEBC7300B24821AFB03C6691CA3D9D01C671

Function 007D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007D304E: inet_addr.WSOCK32(?), ref: 007D307A
Part of subcall function 007D304E: _wcslen.LIBCMT ref: 007D309B

socket.WSOCK32(00000002,00000002,00000011), ref: 007D185D
WSAGetLastError.WSOCK32 ref: 007D1884
bind.WSOCK32(00000000,?,00000010), ref: 007D18DB
WSAGetLastError.WSOCK32 ref: 007D18E6
closesocket.WSOCK32(00000000), ref: 007D1915

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a6e9e9bbddb4efe39ca0347bb8fb7ef38f81aadde0eaa0388ded308da17b7027
Instruction ID: 19138d9d9935622c00cddb5bd8d380cf8eaff912e88db95434ce2f62f6957c7a
Opcode Fuzzy Hash: a6e9e9bbddb4efe39ca0347bb8fb7ef38f81aadde0eaa0388ded308da17b7027
Instruction Fuzzy Hash: 70519175A00200AFDB10EF24C88AF6A77A5AB49718F488059FD465F3D3DA79AD41CBE1

Function 007E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007E1CC0
IsWindowEnabled.USER32 ref: 007E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007E1CDB
IsIconic.USER32 ref: 007E1CE9
IsZoomed.USER32 ref: 007E1CF7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 15cb8002619b52b72d476eea005c55e027338fb16ff636241e39475726deee62
Instruction ID: 2d3f11c66d65c556eaac02d3d4877d813a91d1806c771cce2cbc61a63928f5dd
Opcode Fuzzy Hash: 15cb8002619b52b72d476eea005c55e027338fb16ff636241e39475726deee62
Instruction Fuzzy Hash: D621D8317422809FD7218F1BC885B567BD5EF8D315B698058E845CB361CB79DC42CBA4

Function 00758060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00795DF0
VUUU, xrefs: 0075843C
VUUU, xrefs: 007583FA
ERCP, xrefs: 0075813C
VUUU, xrefs: 007583E8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 36c3c00cbf929a59fe2227b762acf91bce2836cd564782d055c2cfac669e311c
Instruction ID: 42e31d99ca550a9b44fb79939324d58c555ea93839aad29f6546c00eb73d4c8d
Opcode Fuzzy Hash: 36c3c00cbf929a59fe2227b762acf91bce2836cd564782d055c2cfac669e311c
Instruction Fuzzy Hash: 80A29F70E0062ACBDF64CF58D8807EDB7B1BF54311F2482AADC15A7285EB789D85CB91

Function 007BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 007BAAAC
SetKeyboardState.USER32(00000080), ref: 007BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 007BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 007BAB88

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: af2af611ca22378d7ec84b23c1c687564903b39de52c3d7b5ead3472385d3393
Instruction ID: 72bbc406a54140f38dac89f324205a3757937bceb2e38ab15f4cd1a679dc93e1
Opcode Fuzzy Hash: af2af611ca22378d7ec84b23c1c687564903b39de52c3d7b5ead3472385d3393
Instruction Fuzzy Hash: DC3116B0A40248BEFF35AB648C09BFB7BA6AB44310F04821AF5A1961D0D37D8D85C766

Function 007CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 007CCE89
GetLastError.KERNEL32(?,00000000), ref: 007CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 007CCEFE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e49a4a8e987ee155ff08c0e0f5841da5357b9f1fe015bd3eece9d37db195fa21
Instruction ID: 3ac6e4ecd349c3e65de721a6d6d33b61764089a43b135c3fda5e7b239ff9c3f6
Opcode Fuzzy Hash: e49a4a8e987ee155ff08c0e0f5841da5357b9f1fe015bd3eece9d37db195fa21
Instruction Fuzzy Hash: FE21BDB2900305DBEB22DF65C988FAA77FCEF01354F10841EE64AD6151E778EE458B54

Function 007B8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007B82AA

Strings

(, xrefs: 007B82F0
|, xrefs: 007B82DA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 40f368e4c1a1622a6544ea7b1470f6a60b1131df16968d8ec63192aeab58b85e
Instruction ID: 1f6ebf275d298bd5af5b1d5b887e098f43e45f073bb265017adfd035015c2e0e
Opcode Fuzzy Hash: 40f368e4c1a1622a6544ea7b1470f6a60b1131df16968d8ec63192aeab58b85e
Instruction Fuzzy Hash: D7323574A00605DFCB68CF59C080AAAB7F4FF48710B15C56EE49ADB3A1EB74E981CB40

Function 007C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 007C5D17
FindClose.KERNEL32(?), ref: 007C5D5F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: af9384f4608e2651955bf77d7111128480ba640ee5d49f4dcbacaeb641a28b36
Instruction ID: 38a54b040e745a5b94072985c3b533e3a901da6b72649f1b182eee82c60a76ed
Opcode Fuzzy Hash: af9384f4608e2651955bf77d7111128480ba640ee5d49f4dcbacaeb641a28b36
Instruction Fuzzy Hash: 25517574604B019FC714CF28C498E9AB7E4FF09324F14855EE99A8B3A2DB39F845CB91

Function 00782622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0078271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00782724
UnhandledExceptionFilter.KERNEL32(?), ref: 00782731

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ac6c458235b7e05114c03d2733650c6c82c1e115c975a085fd4b81a9f85b6b51
Instruction ID: 814bf58f7dee20a51ac11bf82ce37d9358a7314c2985b7c2d053f55072f5e7ea
Opcode Fuzzy Hash: ac6c458235b7e05114c03d2733650c6c82c1e115c975a085fd4b81a9f85b6b51
Instruction Fuzzy Hash: B831B274951218EBCB21DF68DC89799BBB8AF08350F5081EAE91CA6261E7349F818F45

Function 007C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007C5238
SetErrorMode.KERNEL32(00000000), ref: 007C52A1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 92f0b57d62da954dcd524024187b118f1fc5e4987eb7f95f1b02dd52ccd305ac
Instruction ID: f50170cbd75656e61cbe7b9ac48c4a9bc2d6f29b6c1cd1e9cbaccd09b4191cff
Opcode Fuzzy Hash: 92f0b57d62da954dcd524024187b118f1fc5e4987eb7f95f1b02dd52ccd305ac
Instruction Fuzzy Hash: B6313C75A00618DFDB00DF54D888FADBBB4FF48314F088099E8059B392DB76E856CB90

Function 007B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0076FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00770668
Part of subcall function 0076FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00770685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007B173A
GetLastError.KERNEL32 ref: 007B174A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 21d89a0af237b5ec5f23fff8a4ac30b6e8360fd2ef1b78e531968f1adbabca41
Instruction ID: 536c03ca8756d6b76d76c15711a14a4989be6538fe1db70d29676a665c3c82f3
Opcode Fuzzy Hash: 21d89a0af237b5ec5f23fff8a4ac30b6e8360fd2ef1b78e531968f1adbabca41
Instruction Fuzzy Hash: 4111C1B2500304AFD7189F54ECC6EAAB7BDEB04714B60852EE45657241EB74BC428B64

Function 007BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007BD650

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b7ef0da7f78ec483fa38b03a913f247d89f00363b6874d81f04232335da50e65
Instruction ID: f7433cda16a6b12fd9ab007d8907a20c43ab6f32a8628edf3621ea00f5ffcb0b
Opcode Fuzzy Hash: b7ef0da7f78ec483fa38b03a913f247d89f00363b6874d81f04232335da50e65
Instruction Fuzzy Hash: F8113C75E05228BBDB218F959C85FEFBFBCEB49B50F108115F904E7290D6744A058BA1

Function 007B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007B16A1
FreeSid.ADVAPI32(?), ref: 007B16B1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 86312694a9f082dcc4812fd628e9fe05d19c921794ac0ca879ab82a73b118546
Instruction ID: 1d633dd813625dc452abe845bd78fe4eabcb14922e4347d623b85bea1dc28cd0
Opcode Fuzzy Hash: 86312694a9f082dcc4812fd628e9fe05d19c921794ac0ca879ab82a73b118546
Instruction Fuzzy Hash: 49F0F475951309FBDB00DFE49C89AAEBBBCEB08604F508565E601E6181E778AA448A54

Function 0078C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0078C36C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e379c82b30c6fa86c4f948efe7618b8e8afebba097aeb41db18a8736468432d9
Instruction ID: 034023cdaae9df9ab7c554312ed4d58e530e24a82c883e789aff15913ad2709a
Opcode Fuzzy Hash: e379c82b30c6fa86c4f948efe7618b8e8afebba097aeb41db18a8736468432d9
Instruction Fuzzy Hash: 06412976540219AFCB20AFB9DC4DDBB7778EB84354F5082A9F905D7180E6749D818B60

Function 007AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007AD28C

Strings

X64, xrefs: 007AD2A8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: fd4b38e0423c987b09a8fb9cb1a5f0001e3f30a379c138908fce2ea4f7987c69
Instruction ID: f1114047ee794962ab649ddc3b669d8dd932e048f6e8f9d4d44e6fb5f6dc7028
Opcode Fuzzy Hash: fd4b38e0423c987b09a8fb9cb1a5f0001e3f30a379c138908fce2ea4f7987c69
Instruction Fuzzy Hash: 9CD0C9B481111DEACBA0DB90DCC8DD9B37CBB04315F104251F506A2040D77899498F10

Function 0077CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 9649436caf13886bd04113ed7c95b6318d24f1865db9f4f19527a81f971c103a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 2C022E72E002199FDF25CFA9D8806ADFBF1EF48354F25816DE919E7380D734AA418B94

Function 007C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007C6918
FindClose.KERNEL32(00000000), ref: 007C6961

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 775da027c6a24274289b4bbd4e6e8d9f0112c21d0ab3b39ca252f3f72a1ffacc
Instruction ID: f20a6adc8305d19a1f49ee01efec2e18033b63d7808c19698794437e910e83c6
Opcode Fuzzy Hash: 775da027c6a24274289b4bbd4e6e8d9f0112c21d0ab3b39ca252f3f72a1ffacc
Instruction Fuzzy Hash: 2C11AF756042009FD710CF29D8C9A16BBE4FF88329F04C69DE8698F2A2CB74EC05CB90

Function 007C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007D4891,?,?,00000035,?), ref: 007C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007D4891,?,?,00000035,?), ref: 007C37F4

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 28f362bb9fe0273d042237284be25fa4f70d7d6640ea091ce98d3b4e2f2f3451
Instruction ID: d0f6587773e24d7a164162e160e0da4385390f4b156d4754104ee50505443e6e
Opcode Fuzzy Hash: 28f362bb9fe0273d042237284be25fa4f70d7d6640ea091ce98d3b4e2f2f3451
Instruction Fuzzy Hash: 27F0E5B56053296AEB2017769C8DFEB3BAEEFC9761F004269F609D2281D9749D04C6B0

Function 007BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 007BB270

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 337a1bc9901ad392c67ff592d4e7772ea4850a0588578fc3a4e91fae8154e15b
Instruction ID: 7cd68185ce977e3ee0de22714b8d66e224f6d46c24d58b67a5a48c0c4bad1159
Opcode Fuzzy Hash: 337a1bc9901ad392c67ff592d4e7772ea4850a0588578fc3a4e91fae8154e15b
Instruction Fuzzy Hash: 6EF01D7580428DABDB059FA1C805BEE7BB4FF08305F108009F965A9191C37DC6119F94

Function 007B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007B11FC), ref: 007B10D4
CloseHandle.KERNEL32(?,?,007B11FC), ref: 007B10E9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9d9f5157a32002430ed9300adf7a2384e62ebaff32313af1b756e571031eb21b
Instruction ID: fb1444710b90b1014c8933b8ecf8a7e22c0cf1a53538ab56c9e7647401ab7fc9
Opcode Fuzzy Hash: 9d9f5157a32002430ed9300adf7a2384e62ebaff32313af1b756e571031eb21b
Instruction Fuzzy Hash: C3E04F32004600EEE7262B11FC09E737BA9EB04310B10C82EF8A6844B1DB666C90DB54

Function 0075CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 007A0C40

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 122aa91f684d214e2302347f603dcda023752293b7f7b0ffe1be7eb2f47a8fec
Instruction ID: bb4db98bdfd38448845254f031dbceb8bfeae2441d766b88bb5f32e09660f7e2
Opcode Fuzzy Hash: 122aa91f684d214e2302347f603dcda023752293b7f7b0ffe1be7eb2f47a8fec
Instruction Fuzzy Hash: 25328970A00308DFCF15DF90C885BEDB7B5BF45305F148569E806AB291DBB9AE49CBA0

Function 0078676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00786766,?,?,00000008,?,?,0078FEFE,00000000), ref: 00786998

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d78ddc10b49d122db81cb41fe310cc0991c5899d6a815972c6b0fa375b7b8892
Instruction ID: 5b3d1e3153392980fc5e9382ba279f9f73eeebc13cd94b49b9573ac66a01767f
Opcode Fuzzy Hash: d78ddc10b49d122db81cb41fe310cc0991c5899d6a815972c6b0fa375b7b8892
Instruction Fuzzy Hash: 14B15A31650608EFD719DF28C48AB657BE0FF05364F25C658E89ACF2A2C339E981CB41

Function 0076B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 007A851F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 26b481d3af2f921f4f4441f858d97b02fe5fc46b244e31a2bb336b52481cc410
Instruction ID: d57f34b083b9b792bfe0a28cbf356c2d73dc86426e807dc244fadc8821f83e52
Opcode Fuzzy Hash: 26b481d3af2f921f4f4441f858d97b02fe5fc46b244e31a2bb336b52481cc410
Instruction Fuzzy Hash: 94124071A00229DBDB54CF58C8806EEB7F5FF49710F14819AE849EB255EB389E81CF91

Function 007CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007CEABD

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7b7247f67709e7854346c4d309cb3f8f0fded628cf46cdbaff0546c71f4eff24
Instruction ID: a2b5e233a956afb3c38fb3d4ecefa7283da35795f737e8fc0de5dcc349700fb0
Opcode Fuzzy Hash: 7b7247f67709e7854346c4d309cb3f8f0fded628cf46cdbaff0546c71f4eff24
Instruction Fuzzy Hash: 09E048352002049FC710DF59D844E9AF7D9AF58760F00C41AFC45C7351DBB4E8458B90

Function 007709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007703EE), ref: 007709DA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7b91f25002945d12e760940fc19ef12461bc6ebb4262fab04f3048a6164aa68e
Instruction ID: 6178dba37a8ddef36f22e63a7d93bb1ad027e93452ff569c7f494430b3de7e7a
Opcode Fuzzy Hash: 7b91f25002945d12e760940fc19ef12461bc6ebb4262fab04f3048a6164aa68e
Instruction Fuzzy Hash:

Function 0077781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0077798B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: bb66f4d4a4a6352f00c9736916e28e1d432cdade5c430723b56305fc5cdcdbf7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8851677160C7059BDF3C8568C89E7BE23999B023C4F18C919D98ECB282C61DEE41D793

Function 00786DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3517f27ceb39cbea33edc3e452ffa0b3c269e8c700f104b3df960971f4450f1e
Instruction ID: 56fd7d37ab90c1a4a513d6cd9369f3d0d9d105b8134459bb52bb0e6271760445
Opcode Fuzzy Hash: 3517f27ceb39cbea33edc3e452ffa0b3c269e8c700f104b3df960971f4450f1e
Instruction Fuzzy Hash: E0322521D69F414DD727A634CC22335A749AFB73C5F25D737E81AB59AAEB2DC4838200

Function 0076CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958ca05fd349a7f67ccf2578f6fb65eb1f7c945edb23cba5b69917c6d0685323
Instruction ID: c7e02c3f64b9f0a90a0b3e2424796648492b2d11bc7bf6766a8187b122c2681c
Opcode Fuzzy Hash: 958ca05fd349a7f67ccf2578f6fb65eb1f7c945edb23cba5b69917c6d0685323
Instruction Fuzzy Hash: DB323B31A04115ABDF2BCF28C49467D77A1EFC6310F288266D89BDB291E63CDD81DB61

Function 00757920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b3fc6a3e789a5a6830dd95919491557e1b80d67f3f22e6162173cb480ece26
Instruction ID: ad82b2f4d8965dc49aa6c754e589285a929a8d65ba3ef15540d95c87547637f3
Opcode Fuzzy Hash: 46b3fc6a3e789a5a6830dd95919491557e1b80d67f3f22e6162173cb480ece26
Instruction Fuzzy Hash: 2F22C2B0A00619DFDF14CF64E885AEEB7F6FF44301F108529E816A7291EB7AAD15CB50

Function 007591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09980c42201061f1f9367a6799b5af54d5c5041a75388b7b11f893949de66f1a
Instruction ID: 83a27f8c82c73459fc2e45e99ebead21811fdce521d6bd3ff17199df207ea903
Opcode Fuzzy Hash: 09980c42201061f1f9367a6799b5af54d5c5041a75388b7b11f893949de66f1a
Instruction Fuzzy Hash: 6202C8B0E00109EBDF04DF64E885AADBBB5FF44300F108169E9169B391EB79EE54CB95

Function 00789EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca3b80c18a2473da51a8df04d9c86025a2a1b4dce05194c90627cc968d0a1ca
Instruction ID: 3c0944d8bddf8f061513ba2f5ebba7f816a8875a366035a0e38336a9f08ff19c
Opcode Fuzzy Hash: eca3b80c18a2473da51a8df04d9c86025a2a1b4dce05194c90627cc968d0a1ca
Instruction Fuzzy Hash: A3B1F220D2AF414DD72396398835336B75CAFBB6D5F91D71BFC2674D22EB2686838240

Function 00771C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2f12e2016375a8a70415ac28ad35b7a7a10df2f1342663c3e99ba8ceba0f7f51
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A09189722080E34ADF29463E853503DFFE15A523E235A879DD4FACA1C5FE18D954DB20

Function 00771F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 08026f4e716f3d8b5f7d4a242628a8c7b6a2d29fb0ce50f445431c51ac11b2ad
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 649186722090E30ADF69423D847403EFFE15A923E135A879ED4FACB1C6EE28D955D720

Function 007719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9649a698a240dcdb9fcaa1c3543c4cd0172861783085c081d5fc8a5bc35ed140
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 249183722090E34ADF29427E857403DFFE15A923E135A879ED4FACA1D1FE18D654D720

Function 00777A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5656018d45010252287dd8c9138db55d93e0d63cf4947555b3d4e9d57d400f
Instruction ID: 9ec5a010d0a258492959b2510ebc43c1966aeb1a6d9039d5e88037d365b025ef
Opcode Fuzzy Hash: 9e5656018d45010252287dd8c9138db55d93e0d63cf4947555b3d4e9d57d400f
Instruction Fuzzy Hash: 11618BB134870996EE3C5A2C8C99BBE2399DF413C0F11C91DE94ECB2A1D51D9E42C766

Function 00777CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d222113c02f0064d5331475d01f617116cce2dcd873bac8f9c5763aef611f532
Instruction ID: e1a59084f4efadd3437b215b902515307e9b48b36b87fe0e016b7f66880826dd
Opcode Fuzzy Hash: d222113c02f0064d5331475d01f617116cce2dcd873bac8f9c5763aef611f532
Instruction Fuzzy Hash: 75618C31348709A6DE3C4A688859BBF2394DF427C4F10C959E94EDF281E65DED41C356

Function 00771706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5763c36984a6e2c5f283de09b567a156900331e6cff80eb0a80f57e1e397817a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CB8162326080E309DF6D463E853403EFFE15A923F135A879DD4FACA1C1EE289559EB60

Function 007C2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27ed3e6a3b6131d8e5676e17568dd06201a2be6d72ede4e644c5c5d917cfd6c
Instruction ID: bd22b4be2117642537f1120ebe96d3db3840554570c637c6c8e6d92e8e018efd
Opcode Fuzzy Hash: a27ed3e6a3b6131d8e5676e17568dd06201a2be6d72ede4e644c5c5d917cfd6c
Instruction Fuzzy Hash: D421A5326206118BDB28CE79C82267A73E5B764310F15862EE4A7C77D1DE39A945CB80

Function 007D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007D2B30
DeleteObject.GDI32(00000000), ref: 007D2B43
DestroyWindow.USER32 ref: 007D2B52
GetDesktopWindow.USER32 ref: 007D2B6D
GetWindowRect.USER32(00000000), ref: 007D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2CF8
GetClientRect.USER32(00000000,?), ref: 007D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2D80
GlobalLock.KERNEL32(00000000), ref: 007D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2D98
GlobalUnlock.KERNEL32(00000000), ref: 007D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2DA8
GlobalFree.KERNEL32(00000000), ref: 007D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007EFC38,00000000), ref: 007D2DDB
GlobalFree.KERNEL32(00000000), ref: 007D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007D303F

Strings

, xrefs: 007D2FC5
DISPLAY, xrefs: 007D2EA2
static, xrefs: 007D2D3A, 007D2E91
AutoIt v3, xrefs: 007D2CF2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8a7b51b7232b56e5b708eb1f0fd1f036339a9fde8b2e27f516809c1d46a4aa8f
Instruction ID: ad977e73ebeb31efa61bc8ed3585e5e12a6b8d03895cdb69a3da9e52331e7c75
Opcode Fuzzy Hash: 8a7b51b7232b56e5b708eb1f0fd1f036339a9fde8b2e27f516809c1d46a4aa8f
Instruction Fuzzy Hash: 3F029CB5500248EFDB15DF64CC8DEAE7BB9FB48311F108159F915AB2A1DB78AD02CB60

Function 007E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007E712F
GetSysColorBrush.USER32(0000000F), ref: 007E7160
GetSysColor.USER32(0000000F), ref: 007E716C
SetBkColor.GDI32(?,000000FF), ref: 007E7186
SelectObject.GDI32(?,?), ref: 007E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007E71C0
GetSysColor.USER32(00000010), ref: 007E71C8
CreateSolidBrush.GDI32(00000000), ref: 007E71CF
FrameRect.USER32(?,?,00000000), ref: 007E71DE
DeleteObject.GDI32(00000000), ref: 007E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007E7230
FillRect.USER32(?,?,?), ref: 007E7262
GetWindowLongW.USER32(?,000000F0), ref: 007E7284

Part of subcall function 007E73E8: GetSysColor.USER32(00000012), ref: 007E7421
Part of subcall function 007E73E8: SetTextColor.GDI32(?,?), ref: 007E7425
Part of subcall function 007E73E8: GetSysColorBrush.USER32(0000000F), ref: 007E743B
Part of subcall function 007E73E8: GetSysColor.USER32(0000000F), ref: 007E7446
Part of subcall function 007E73E8: GetSysColor.USER32(00000011), ref: 007E7463
Part of subcall function 007E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007E7471
Part of subcall function 007E73E8: SelectObject.GDI32(?,00000000), ref: 007E7482
Part of subcall function 007E73E8: SetBkColor.GDI32(?,00000000), ref: 007E748B
Part of subcall function 007E73E8: SelectObject.GDI32(?,?), ref: 007E7498
Part of subcall function 007E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007E74B7
Part of subcall function 007E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007E74CE
Part of subcall function 007E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007E74DB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b592b755bd6479b1cdcf809b514bf09f3f36697ce87e7552f3d315f0b3afb2d4
Instruction ID: 765a7f8b5f2edc02a1447666d79bd5af71b54abe23bd919c02bcf9c306ed3b5c
Opcode Fuzzy Hash: b592b755bd6479b1cdcf809b514bf09f3f36697ce87e7552f3d315f0b3afb2d4
Instruction Fuzzy Hash: 0AA1B17600A385EFD7059F64DC88E5B7BB9FB8C320F104A19FA629A1E0D738E845CB51

Function 00768D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00768E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 007A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007A6F43

Part of subcall function 00768F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00768BE8,?,00000000,?,?,?,?,00768BBA,00000000,?), ref: 00768FC5

SendMessageW.USER32(?,00001053), ref: 007A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 007A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 007A6FB7

Strings

0, xrefs: 007A6DCF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 956999ec2d7392216124ed51fab359c31ba5aabbab10be83f8be15506ce526b8
Instruction ID: a53d2e2fc4e0629d2ba12bb794a2ceff19cf7c8ba1adbb94c2ee4cdaabf336f2
Opcode Fuzzy Hash: 956999ec2d7392216124ed51fab359c31ba5aabbab10be83f8be15506ce526b8
Instruction Fuzzy Hash: 4812D674205241DFDB25CF24C888BA5BBE1FB9A310F688669F585CB161C73AEC92CF51

Function 007D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007D2900
GetClientRect.USER32(00000000,?), ref: 007D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007D2964
GetStockObject.GDI32(00000011), ref: 007D2974
SelectObject.GDI32(00000000,00000000), ref: 007D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D2991
DeleteDC.GDI32(00000000), ref: 007D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007D2A77
GetStockObject.GDI32(00000011), ref: 007D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007D2A97

Strings

DISPLAY, xrefs: 007D295A
msctls_progress32, xrefs: 007D2A13
static, xrefs: 007D294F, 007D2A71
AutoIt v3, xrefs: 007D28F8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ea98540deab64b1f2532f59b7c0c89147ad4bce08aae90ab0c9b0f6d30b2dde5
Instruction ID: 197fa81f5f2f1845b441ead8a36bf5924235c7004a6b4f5a0cbc615817795fe6
Opcode Fuzzy Hash: ea98540deab64b1f2532f59b7c0c89147ad4bce08aae90ab0c9b0f6d30b2dde5
Instruction Fuzzy Hash: B9B16FB5A00205AFEB14DF68CC89FAE7BB9FB08711F108115F914EB291D778AD42CB94

Function 007C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007C4AED
GetDriveTypeW.KERNEL32(?,007ECB68,?,\\.\,007ECC08), ref: 007C4BCA
SetErrorMode.KERNEL32(00000000,007ECB68,?,\\.\,007ECC08), ref: 007C4D36

Strings

Network, xrefs: 007C4C02
SATA, xrefs: 007C4CD0
ATA, xrefs: 007C4C98
Removable, xrefs: 007C4C10, 007C4C15
RAMDisk, xrefs: 007C4BF4
Virtual, xrefs: 007C4CE5
RAID, xrefs: 007C4CBB
Fixed, xrefs: 007C4C09
iSCSI, xrefs: 007C4CC2
\\.\, xrefs: 007C4B3F
1394, xrefs: 007C4C9F
FileBackedVirtual, xrefs: 007C4CEC
Fibre, xrefs: 007C4CAD
SCSI, xrefs: 007C4C8A
PhysicalDrive, xrefs: 007C4B76
CDROM, xrefs: 007C4BFB
MMC, xrefs: 007C4CDE
USB, xrefs: 007C4CB4
SSD, xrefs: 007C4C4A
SAS, xrefs: 007C4CC9
ATAPI, xrefs: 007C4C91
SSA, xrefs: 007C4CA6
Unknown, xrefs: 007C4BED, 007C4C83

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3e83791fdb59bfc70c0ae86f5e3d764e9aba9e73d503a625613948f888602618
Instruction ID: 8c65c4e27ef311c887797c1aaeb554880b02ccd90ee8c75e45a480b86029508f
Opcode Fuzzy Hash: 3e83791fdb59bfc70c0ae86f5e3d764e9aba9e73d503a625613948f888602618
Instruction Fuzzy Hash: EF61C070601105DBDB24DF24CAA6EA9B7B4FF04340B24801DF846EB261EB7EED95DB61

Function 007E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007E7421
SetTextColor.GDI32(?,?), ref: 007E7425
GetSysColorBrush.USER32(0000000F), ref: 007E743B
GetSysColor.USER32(0000000F), ref: 007E7446
CreateSolidBrush.GDI32(?), ref: 007E744B
GetSysColor.USER32(00000011), ref: 007E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007E7471
SelectObject.GDI32(?,00000000), ref: 007E7482
SetBkColor.GDI32(?,00000000), ref: 007E748B
SelectObject.GDI32(?,?), ref: 007E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007E7572
DrawFocusRect.USER32(?,?), ref: 007E757D
GetSysColor.USER32(00000011), ref: 007E758E
SetTextColor.GDI32(?,00000000), ref: 007E7596
DrawTextW.USER32(?,007E70F5,000000FF,?,00000000), ref: 007E75A8
SelectObject.GDI32(?,?), ref: 007E75BF
DeleteObject.GDI32(?), ref: 007E75CA
SelectObject.GDI32(?,?), ref: 007E75D0
DeleteObject.GDI32(?), ref: 007E75D5
SetTextColor.GDI32(?,?), ref: 007E75DB
SetBkColor.GDI32(?,?), ref: 007E75E5

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c1b92b502c6725d9f02c195e2b4acdfea4a69b10d2e51a5884802273629db98a
Instruction ID: a2418699ab7e143f1e73f012b07a513626014046e123c1a78d4b0b27b7707eb0
Opcode Fuzzy Hash: c1b92b502c6725d9f02c195e2b4acdfea4a69b10d2e51a5884802273629db98a
Instruction Fuzzy Hash: 8061AE76901258AFDF059FA4DC88EEE7FB8EB0C320F108115F911AB2A1D7789941CF90

Function 007E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007E1128
GetDesktopWindow.USER32 ref: 007E113D
GetWindowRect.USER32(00000000), ref: 007E1144
GetWindowLongW.USER32(?,000000F0), ref: 007E1199
DestroyWindow.USER32(?), ref: 007E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007E1245
IsWindowVisible.USER32(00000000), ref: 007E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007E12D0
GetWindowRect.USER32(00000000,?), ref: 007E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007E130E
GetMonitorInfoW.USER32(00000000,?), ref: 007E1328
CopyRect.USER32(?,?), ref: 007E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007E13AA

Strings

(, xrefs: 007E131B
tooltips_class32, xrefs: 007E11E6
0, xrefs: 007E10D3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a938d01cefcebad9db28b634e0747373981708c9cb2fb40e1eba17ae1d8315cf
Instruction ID: f02295cf167e812794e7f9cfc291cd68fe67611a170006bba1fce0313314c031
Opcode Fuzzy Hash: a938d01cefcebad9db28b634e0747373981708c9cb2fb40e1eba17ae1d8315cf
Instruction Fuzzy Hash: 31B19B71605380EFD704DF65C889BABBBE4FF88310F408918F9999B2A1D775E845CB92

Function 007E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007E02E5
_wcslen.LIBCMT ref: 007E031F
_wcslen.LIBCMT ref: 007E0389
_wcslen.LIBCMT ref: 007E03F1
_wcslen.LIBCMT ref: 007E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007E0504

Part of subcall function 0076F9F2: _wcslen.LIBCMT ref: 0076F9FD

Part of subcall function 007B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007B2258
Part of subcall function 007B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007B228A

Strings

GETSUBITEMCOUNT, xrefs: 007E0384, 007E039F
FINDITEM, xrefs: 007E0627
SELECTCLEAR, xrefs: 007E052D
GETSELECTED, xrefs: 007E05E1
VIEWCHANGE, xrefs: 007E0675
GETITEMCOUNT, xrefs: 007E0316, 007E0337
DESELECT, xrefs: 007E059C
ISSELECTED, xrefs: 007E04DD
SELECTALL, xrefs: 007E0515
SELECTINVERT, xrefs: 007E057E
GETSELECTEDCOUNT, xrefs: 007E0470, 007E048B
GETTEXT, xrefs: 007E03EC, 007E0407
SELECT, xrefs: 007E0548

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 3c30db861a43700e3c2386d18af7f5e340e5c8420f73eb6e3007a8b650bfe64e
Instruction ID: ecdcc89424dfc7b9e3661d9cb7d54d31412de5c4d684cd06d588a1d426d3913b
Opcode Fuzzy Hash: 3c30db861a43700e3c2386d18af7f5e340e5c8420f73eb6e3007a8b650bfe64e
Instruction Fuzzy Hash: D4E1AE31209381CFC714DF25C59496AB3E6FF8D314B14495CF8969B2A2DBB8ED89CB81

Function 00768891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00768968
GetSystemMetrics.USER32(00000007), ref: 00768970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0076899B
GetSystemMetrics.USER32(00000008), ref: 007689A3
GetSystemMetrics.USER32(00000004), ref: 007689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00768A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00768A3C
GetClientRect.USER32(00000000,000000FF), ref: 00768A5A
GetStockObject.GDI32(00000011), ref: 00768A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00768A81

Part of subcall function 0076912D: GetCursorPos.USER32(?), ref: 00769141
Part of subcall function 0076912D: ScreenToClient.USER32(00000000,?), ref: 0076915E
Part of subcall function 0076912D: GetAsyncKeyState.USER32(00000001), ref: 00769183
Part of subcall function 0076912D: GetAsyncKeyState.USER32(00000002), ref: 0076919D

SetTimer.USER32(00000000,00000000,00000028,007690FC), ref: 00768AA8

Strings

AutoIt v3 GUI, xrefs: 00768A20

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d335831a8c9dcea7155a8a8e439c519ba9e1ab8bce358f8368247526ce6295c0
Instruction ID: 8b22b949120b929b881501906f68af50b716c7bc9268372a0c07cb2d5ce50b24
Opcode Fuzzy Hash: d335831a8c9dcea7155a8a8e439c519ba9e1ab8bce358f8368247526ce6295c0
Instruction Fuzzy Hash: D9B17175600209DFDF14DFA8DC89BAE7BB5FB48314F148219FA16AB290DB38A841CF55

Function 007B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007B1114
Part of subcall function 007B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1120
Part of subcall function 007B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B112F
Part of subcall function 007B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1136
Part of subcall function 007B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007B0E29
GetLengthSid.ADVAPI32(?), ref: 007B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 007B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007B0E96
GetLengthSid.ADVAPI32(?), ref: 007B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007B0EB5
HeapAlloc.KERNEL32(00000000), ref: 007B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007B0EDD
CopySid.ADVAPI32(00000000), ref: 007B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0F6E
HeapFree.KERNEL32(00000000), ref: 007B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0F7E
HeapFree.KERNEL32(00000000), ref: 007B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B0F8E
HeapFree.KERNEL32(00000000), ref: 007B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 007B0FA1
HeapFree.KERNEL32(00000000), ref: 007B0FA8

Part of subcall function 007B1193: GetProcessHeap.KERNEL32(00000008,007B0BB1,?,00000000,?,007B0BB1,?), ref: 007B11A1
Part of subcall function 007B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007B0BB1,?), ref: 007B11A8
Part of subcall function 007B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007B0BB1,?), ref: 007B11B7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: be1d7459981f32c69909b2d067d02d1e9114d1196df1975f7048f061d3ee516a
Instruction ID: d04b1605083458382e7032f4313ee3c8abef90fcca242944491f473649086c66
Opcode Fuzzy Hash: be1d7459981f32c69909b2d067d02d1e9114d1196df1975f7048f061d3ee516a
Instruction Fuzzy Hash: 57715E75A0120AEFDF219FA4DC49BFFBBB8BF09300F048155F919AA151D7399A05CBA0

Function 007DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007ECC08,00000000,?,00000000,?,?), ref: 007DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007DC5A4
_wcslen.LIBCMT ref: 007DC5F4
_wcslen.LIBCMT ref: 007DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007DC84D
RegCloseKey.ADVAPI32(?), ref: 007DC881
RegCloseKey.ADVAPI32(00000000), ref: 007DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007DC960

Strings

REG_BINARY, xrefs: 007DC913
REG_MULTI_SZ, xrefs: 007DC6F5
REG_QWORD, xrefs: 007DC8C3
REG_DWORD, xrefs: 007DC804
REG_SZ, xrefs: 007DC644
REG_EXPAND_SZ, xrefs: 007DC5CD

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c6862d9fe04c22ea78c578ed086d4e8ccf13af9d2464d9d1c2c5a1c63f5ea8ea
Instruction ID: 42d766d1636cbfd05fbeac934558b8ad4336d647a8750becd7557b41e7ab5b57
Opcode Fuzzy Hash: c6862d9fe04c22ea78c578ed086d4e8ccf13af9d2464d9d1c2c5a1c63f5ea8ea
Instruction Fuzzy Hash: 18126735604201DFDB15DF14C885A6AB7E5EF88324F14889DF88A9B3A2DB79FC45CB81

Function 007E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007E09C6
_wcslen.LIBCMT ref: 007E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007E0A54
_wcslen.LIBCMT ref: 007E0A8A
_wcslen.LIBCMT ref: 007E0B06
_wcslen.LIBCMT ref: 007E0B81

Part of subcall function 0076F9F2: _wcslen.LIBCMT ref: 0076F9FD

Part of subcall function 007B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007B2BFA

Strings

GETITEMCOUNT, xrefs: 007E0C1E
EXISTS, xrefs: 007E0B7C, 007E0B97
EXPAND, xrefs: 007E0BF8
UNCHECK, xrefs: 007E0D3E
CHECK, xrefs: 007E0A85, 007E0AA0
COLLAPSE, xrefs: 007E0B01, 007E0B1C
GETSELECTED, xrefs: 007E0C4E
SELECT, xrefs: 007E0D11
ISCHECKED, xrefs: 007E0CE1
GETTEXT, xrefs: 007E0C97
GETTOTALCOUNT, xrefs: 007E09F2, 007E0A17

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7aa255bc3d14948b2461aef7678ceb5c579fd6edf2e792952dac0fd43039f163
Instruction ID: 71d05cd2bb1f06c016eeb74abaa421fe4b7d3238685faeb10bbecf16aa98fd22
Opcode Fuzzy Hash: 7aa255bc3d14948b2461aef7678ceb5c579fd6edf2e792952dac0fd43039f163
Instruction Fuzzy Hash: 5FE1AB31209381CFC714DF25C85496AB7E1FF98314B14895CF89A9B3A2D778ED8ACB81

Function 007DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007DB6AE,?,?), ref: 007DC9B5
_wcslen.LIBCMT ref: 007DC9F1
_wcslen.LIBCMT ref: 007DCA68
_wcslen.LIBCMT ref: 007DCA9E
_wcslen.LIBCMT ref: 007DCAF9
_wcslen.LIBCMT ref: 007DCB2F
_wcslen.LIBCMT ref: 007DCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 007DCA62, 007DCA67
HKEY_USERS, xrefs: 007DCBDF
HKEY_CURRENT_USER, xrefs: 007DCBBD
HKLM, xrefs: 007DCA98, 007DCA9D
HKU, xrefs: 007DCBF0
HKEY_CLASSES_ROOT, xrefs: 007DCAF3, 007DCAF8
HKCR, xrefs: 007DCB29, 007DCB2E
HKCU, xrefs: 007DCBCE
HKEY_CURRENT_CONFIG, xrefs: 007DCB79, 007DCB7E
HKCC, xrefs: 007DCBAC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 573ccc9bb842a5a3186b7812c94eb698b32c76846dff752d60f8996981be8d98
Instruction ID: b6e26527a5c6984ed2112eb4e16ca8a1501c631493072e8dbe869fbf75edc6a8
Opcode Fuzzy Hash: 573ccc9bb842a5a3186b7812c94eb698b32c76846dff752d60f8996981be8d98
Instruction Fuzzy Hash: 3471F37261016B8BCB22DE68C9415BA33B5AFA0754F14452BFD5AAB384E63CDD84C7A0

Function 007E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007E835A
_wcslen.LIBCMT ref: 007E836E
_wcslen.LIBCMT ref: 007E8391
_wcslen.LIBCMT ref: 007E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007E5BF2), ref: 007E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007E8501
FreeLibrary.KERNEL32(?), ref: 007E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007E851D
DestroyIcon.USER32(?,?,?,?,?,007E5BF2), ref: 007E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007E8555

Strings

.exe, xrefs: 007E8388
.dll, xrefs: 007E83AB
.icl, xrefs: 007E8368

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c1fc725108d4e94b96424ba5ce2be32bfcdda14020f34eec0506376c0396192c
Instruction ID: 75561001ccb154762181eb8fac79dc5b5154722d37386cc62bfbe1ef7050905f
Opcode Fuzzy Hash: c1fc725108d4e94b96424ba5ce2be32bfcdda14020f34eec0506376c0396192c
Instruction Fuzzy Hash: 9B61DF71500245FAEB14DF65CC85BFE77A8FB08B11F108509F919EA1D1EF78A990CBA0

Function 00757778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 007578D9
#include, xrefs: 00757847
", xrefs: 00795153
#ce, xrefs: 007578ED
#cs, xrefs: 00757873, 007578C5
Bad directive syntax error, xrefs: 0079519A
#pragma compile, xrefs: 007577D3
#notrayicon, xrefs: 007577E7
#requireadmin, xrefs: 007577FF
#OnAutoItStartRegister, xrefs: 00757817
#include-once, xrefs: 0075782F
Cannot parse #include, xrefs: 00795279
#comments-start, xrefs: 0075785F, 007578B1
', xrefs: 00795169
Unterminated group of comments, xrefs: 0079528C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e8e9643f3f74964a788dbd7764dbf87a2c9fa2725ab60474440225e7984e207e
Instruction ID: 3f72dc07bc39342e9080aeb110ee772772eb673972e10936a8667980a660874e
Opcode Fuzzy Hash: e8e9643f3f74964a788dbd7764dbf87a2c9fa2725ab60474440225e7984e207e
Instruction Fuzzy Hash: 5A81F7B1640215EBDF25AF60EC4AFEE3768AF18340F104424FD05AA192EBBCDA15C7A1

Function 007C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007C3EF8
_wcslen.LIBCMT ref: 007C3F03
_wcslen.LIBCMT ref: 007C3F5A
_wcslen.LIBCMT ref: 007C3F98
GetDriveTypeW.KERNEL32(?), ref: 007C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007C4087

Strings

close cd wait, xrefs: 007C4072
type cdaudio alias cd wait, xrefs: 007C4001
wait, xrefs: 007C4044
open , xrefs: 007C3FE5
close, xrefs: 007C3EFE, 007C3F18
open, xrefs: 007C3F54, 007C3F59
set cd door , xrefs: 007C4028
closed, xrefs: 007C3F08, 007C3F2D, 007C3F46, 007C3F7E, 007C3F97

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 33a406c41ce173b8c89c568792a269f1b866c3a0e618f83986c662e0854dbb37
Instruction ID: ef75ade9ecdaece700b1b9acd9719f202540ad6425572c1a041d564d889c203a
Opcode Fuzzy Hash: 33a406c41ce173b8c89c568792a269f1b866c3a0e618f83986c662e0854dbb37
Instruction Fuzzy Hash: C971D032604201DFC710DF24C891AAAB7F4FF94758F50892DF99597251EB38ED89CB91

Function 007B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007B5A40
SetWindowTextW.USER32(?,?), ref: 007B5A57
GetDlgItem.USER32(?,000003EA), ref: 007B5A6C
SetWindowTextW.USER32(00000000,?), ref: 007B5A72
GetDlgItem.USER32(?,000003E9), ref: 007B5A82
SetWindowTextW.USER32(00000000,?), ref: 007B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007B5AC3
GetWindowRect.USER32(?,?), ref: 007B5ACC
_wcslen.LIBCMT ref: 007B5B33
SetWindowTextW.USER32(?,?), ref: 007B5B6F
GetDesktopWindow.USER32 ref: 007B5B75
GetWindowRect.USER32(00000000), ref: 007B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 007B5BD3
GetClientRect.USER32(?,?), ref: 007B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 007B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007B5C2F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c786f8602210c4753f6d5e8b27878974c6dcc9c7cc9a5a0694a01c42f30c12c3
Instruction ID: 0ec62bbd4e749a5ddcd3a3c5da10548369b842eb5e757eb33ed1eeeb00c4275f
Opcode Fuzzy Hash: c786f8602210c4753f6d5e8b27878974c6dcc9c7cc9a5a0694a01c42f30c12c3
Instruction Fuzzy Hash: 67717B71900B09EFDB21DFA8CE89BAFBBF5FF48704F104618E542A65A0D779A941CB50

Function 007CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 007CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 007CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 007CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 007CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 007CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 007CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 007CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 007CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 007CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 007CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 007CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 007CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 007CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 007CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 007CFECC
GetCursorInfo.USER32(?), ref: 007CFEDC
GetLastError.KERNEL32 ref: 007CFF1E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d3baf779e566cd1869704d130e61534f1f5a5e4a942b8206fc58deaac5853dde
Instruction ID: 1531814f36ca2b85899fe282bfc9e144f5b59ac1fd9a9f064cf934ab6b3d028c
Opcode Fuzzy Hash: d3baf779e566cd1869704d130e61534f1f5a5e4a942b8206fc58deaac5853dde
Instruction Fuzzy Hash: 044154B0D05319AADB109FBA8C89D5EBFE9FF04354B50852EE11DEB281DB789901CE91

Function 007700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007700C6

Part of subcall function 007700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0082070C,00000FA0,EF873129,?,?,?,?,007923B3,000000FF), ref: 0077011C
Part of subcall function 007700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007923B3,000000FF), ref: 00770127
Part of subcall function 007700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007923B3,000000FF), ref: 00770138
Part of subcall function 007700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0077014E
Part of subcall function 007700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0077015C
Part of subcall function 007700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0077016A
Part of subcall function 007700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00770195
Part of subcall function 007700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007701A0

___scrt_fastfail.LIBCMT ref: 007700E7

Part of subcall function 007700A3: __onexit.LIBCMT ref: 007700A9

Strings

kernel32.dll, xrefs: 00770133
WakeAllConditionVariable, xrefs: 00770162
SleepConditionVariableCS, xrefs: 00770154
InitializeConditionVariable, xrefs: 00770148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00770122

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2dd272f8dd9a0c048bb261767403e4c5d520c50320981d5032567807d009a73b
Instruction ID: d54fb5427ceca1bb86b3280a92a678d4d9260b3fe998f259915725404e2b4797
Opcode Fuzzy Hash: 2dd272f8dd9a0c048bb261767403e4c5d520c50320981d5032567807d009a73b
Instruction Fuzzy Hash: 0B213EB2641754EFDB115B64BC49B2D37D4EB08BA0F00C13AF805D7691DB7D9C008AD4

Function 007B30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B318D
_wcslen.LIBCMT ref: 007B31F8

Strings

CLASSNN, xrefs: 007B31F3, 007B3204
REGEXPCLASS, xrefs: 007B3255, 007B3266
INSTANCE, xrefs: 007B3453
NAME, xrefs: 007B3335, 007B3346
TEXT, xrefs: 007B347C
CLASS, xrefs: 007B3188, 007B31A5

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: c4b9738c24076544a37960961a85f923f8a5a3e1c5d6e8ef53733ddc07aa66a6
Instruction ID: f2146b1afdab548bd19333815ee5f8e8bf72f198f163e65bc3da9a188a9e17bc
Opcode Fuzzy Hash: c4b9738c24076544a37960961a85f923f8a5a3e1c5d6e8ef53733ddc07aa66a6
Instruction Fuzzy Hash: E2E1D532A00516EBCB249FB8C455BFEBBB4FF44750F548229E556E7240DB38AEC98790

Function 007C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007ECC08), ref: 007C4527
_wcslen.LIBCMT ref: 007C453B
_wcslen.LIBCMT ref: 007C4599
_wcslen.LIBCMT ref: 007C45F4
_wcslen.LIBCMT ref: 007C463F
_wcslen.LIBCMT ref: 007C46A7

Part of subcall function 0076F9F2: _wcslen.LIBCMT ref: 0076F9FD

GetDriveTypeW.KERNEL32(?,00816BF0,00000061), ref: 007C4743

Strings

all, xrefs: 007C4531, 007C4536
network, xrefs: 007C469D, 007C46A2
unknown, xrefs: 007C4708
cdrom, xrefs: 007C458F, 007C4594
removable, xrefs: 007C45EA, 007C45EF
fixed, xrefs: 007C4635, 007C463A
ramdisk, xrefs: 007C46F1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 96c782688f252a1771bcfb9f35e77cdfbc448b666629fa0e28ce109c2039dc29
Instruction ID: aed6abc08dcb74ef7ceddb891f2bfdf18e5b5f838779b88828a2c58f24ba05be
Opcode Fuzzy Hash: 96c782688f252a1771bcfb9f35e77cdfbc448b666629fa0e28ce109c2039dc29
Instruction Fuzzy Hash: 69B100316083029FC710DF28D8A4FAAB7E5BFA5760F50491DF596D7291E738D848CB62

Function 007D3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007ECC08), ref: 007D40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007D40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,007ECC08), ref: 007D40F2
FreeLibrary.KERNEL32(00000000,?,007ECC08), ref: 007D413E
StringFromGUID2.OLE32(?,?,00000028,?,007ECC08), ref: 007D41A8
SysFreeString.OLEAUT32(00000009), ref: 007D4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007D42C8
SysFreeString.OLEAUT32(?), ref: 007D42F2

Strings

kernel32.dll, xrefs: 007D40B6
GetModuleHandleExW, xrefs: 007D40C7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: aa53d30bc0e2bd2ac944ef1b10393fbfb2ba98e3930894d2c464903dcba4e300
Instruction ID: 5da937ea01bdd3e6b14084dcdc8320d994622b6e09dffb892424ea1358edcf47
Opcode Fuzzy Hash: aa53d30bc0e2bd2ac944ef1b10393fbfb2ba98e3930894d2c464903dcba4e300
Instruction Fuzzy Hash: 9B124B75A00149EFDB14CF94C888EAEBBB5FF49314F248099E905AF251D735ED86CBA0

Function 0075326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00821990), ref: 00792F8D
GetMenuItemCount.USER32(00821990), ref: 0079303D
GetCursorPos.USER32(?), ref: 00793081
SetForegroundWindow.USER32(00000000), ref: 0079308A
TrackPopupMenuEx.USER32(00821990,00000000,?,00000000,00000000,00000000), ref: 0079309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007930A9

Strings

0, xrefs: 0075327D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 46146282d625e2bc7d5b70125e2a9ac3042194582063a7a11819d48192285b61
Instruction ID: b454fd0d33b1b43e1a74e6a531c55d76a45f2f9e3bf0a259c63190d895bea00d
Opcode Fuzzy Hash: 46146282d625e2bc7d5b70125e2a9ac3042194582063a7a11819d48192285b61
Instruction Fuzzy Hash: BD710770644205BEEF219F68DC8DFAABF65FF04364F204216F9286A1E1C7B9AD15CB50

Function 007E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007E6DEB

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007E6E94
DestroyWindow.USER32(?), ref: 007E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00750000,00000000), ref: 007E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007E6EFD
GetDesktopWindow.USER32 ref: 007E6F16
GetWindowRect.USER32(00000000), ref: 007E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007E6F4D

Part of subcall function 00769944: GetWindowLongW.USER32(?,000000EB), ref: 00769952

Strings

tooltips_class32, xrefs: 007E6E58, 007E6EDD
0, xrefs: 007E6D98

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 9d26700a5de1bebbce04ed14c50f89f9e787ccade20b55d507d1e499f53bb886
Instruction ID: 9422a795b175cac819cb1747cd39e0e6a12c6bef21ad72b23877f8a38cbf92c4
Opcode Fuzzy Hash: 9d26700a5de1bebbce04ed14c50f89f9e787ccade20b55d507d1e499f53bb886
Instruction Fuzzy Hash: CE719874101380AFDB21CF19D888AAABBE9FB9D340F54441DF989872A1C778ED46CB15

Function 007E911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

DragQueryPoint.SHELL32(?,?), ref: 007E9147

Part of subcall function 007E7674: ClientToScreen.USER32(?,?), ref: 007E769A
Part of subcall function 007E7674: GetWindowRect.USER32(?,?), ref: 007E7710
Part of subcall function 007E7674: PtInRect.USER32(?,?,007E8B89), ref: 007E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007E9277
DragFinish.SHELL32(?), ref: 007E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007E9371

Strings

@GUI_DROPID, xrefs: 007E929E
@GUI_DRAGID, xrefs: 007E92E9
@GUI_DRAGFILE, xrefs: 007E9320

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1b8b4676f1366958fed48cfb178b5c62c491946c900d787d534fd6acd231dd82
Instruction ID: f5c5e9e9b07e018f1343d43483693e2c0296f22d6f35a646dc97d993bb382e65
Opcode Fuzzy Hash: 1b8b4676f1366958fed48cfb178b5c62c491946c900d787d534fd6acd231dd82
Instruction Fuzzy Hash: B2619B72108340AFC701DF64DC89DAFBBE8FF89350F00092DFA91961A1DB749A49CB52

Function 007CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 007CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007CC5F0
InternetCloseHandle.WININET(00000000), ref: 007CC5FB

Strings

, xrefs: 007CC575

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3f2bdc3b392e3451b1366f3717670eb4d05cd0c265e8429590f75cc4e79331c8
Instruction ID: cd8c1f69facd341f639df55733bfc8580d9c1a4d6001977487430f707424d501
Opcode Fuzzy Hash: 3f2bdc3b392e3451b1366f3717670eb4d05cd0c265e8429590f75cc4e79331c8
Instruction Fuzzy Hash: A3517DB5500244BFDB228F64D988FAB7BBCFF08344F10841DF949DA250DB38EA559B60

Function 007E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 007E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85BA
GlobalLock.KERNEL32(00000000), ref: 007E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85D7
GlobalUnlock.KERNEL32(00000000), ref: 007E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,007EFC38,?), ref: 007E8611
GlobalFree.KERNEL32(00000000), ref: 007E8621
GetObjectW.GDI32(?,00000018,?), ref: 007E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007E8671
DeleteObject.GDI32(?), ref: 007E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007E86AF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 872429ebb5d6932f6e4d36f483fcb4acd960fd64f033dd29b3cf5f3365983021
Instruction ID: 7e7b22e3bab70e92d91c49d5e3086158d19b9829eca7ec02eeea3231c6ec2f8c
Opcode Fuzzy Hash: 872429ebb5d6932f6e4d36f483fcb4acd960fd64f033dd29b3cf5f3365983021
Instruction Fuzzy Hash: 23412E75602244AFDB12DFA5CC88EAA7BBCFF4D715F108058F919EB250DB389901CB25

Function 007C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007C1502
VariantCopy.OLEAUT32(?,?), ref: 007C150B
VariantClear.OLEAUT32(?), ref: 007C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007C1657
VariantInit.OLEAUT32(?), ref: 007C1708
SysFreeString.OLEAUT32(?), ref: 007C178C
VariantClear.OLEAUT32(?), ref: 007C17D8
VariantClear.OLEAUT32(?), ref: 007C17E7
VariantInit.OLEAUT32(00000000), ref: 007C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007C1625
Default, xrefs: 007C16AF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8983bd7efa00d8cab2b1c1f6d37daaa74f7572a7652938cb3f53c21b0aea6e4c
Instruction ID: 4a922237ecc23b48cfcf472ad7c612137d13536e9c875366d028e354521916ac
Opcode Fuzzy Hash: 8983bd7efa00d8cab2b1c1f6d37daaa74f7572a7652938cb3f53c21b0aea6e4c
Instruction Fuzzy Hash: 0BD10571600215EBDB009F65E889F79B7B5BF46700F9080AEF806AB182DB7CEC55DB61

Function 007DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007DB6AE,?,?), ref: 007DC9B5
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DC9F1
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA68
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007DB80A
RegCloseKey.ADVAPI32(?), ref: 007DB87E
RegCloseKey.ADVAPI32(?), ref: 007DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007DB922
FreeLibrary.KERNEL32(00000000), ref: 007DB983
RegCloseKey.ADVAPI32(00000000), ref: 007DB994

Strings

RegDeleteKeyExW, xrefs: 007DB8FE
advapi32.dll, xrefs: 007DB8ED

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0a26dc2bc2b6bd8cd0582884e301910fd39a2101cab5372bc5a1b7ff1f81056f
Instruction ID: 0ce1592693b28debe66db5b7e6b013319ae0159da0f109bdc2cfdf5db5c85afc
Opcode Fuzzy Hash: 0a26dc2bc2b6bd8cd0582884e301910fd39a2101cab5372bc5a1b7ff1f81056f
Instruction Fuzzy Hash: 5AC18C34204241EFD710DF24C498F6ABBF5BF84318F15859DE99A8B3A2CB79E845CB91

Function 007D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007D25E8
CreateCompatibleDC.GDI32(?), ref: 007D25F4
SelectObject.GDI32(00000000,?), ref: 007D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007D26D0
SelectObject.GDI32(?,?), ref: 007D26D8
DeleteObject.GDI32(?), ref: 007D26E1
DeleteDC.GDI32(?), ref: 007D26E8
ReleaseDC.USER32(00000000,?), ref: 007D26F3

Strings

(, xrefs: 007D268D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5e1249c15fc773d30448c77636b87b9eb01cca6a03776f8d0c71531886fad677
Instruction ID: 28224d2b66c5656c1bc642a90862740643cd4e82c5afc686defcc2684e5b536d
Opcode Fuzzy Hash: 5e1249c15fc773d30448c77636b87b9eb01cca6a03776f8d0c71531886fad677
Instruction Fuzzy Hash: C56102B5D00209EFCF05CFA8D884AAEBBB5FF48310F20842AE955A7350D734A952CF64

Function 0078DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0078DAA1

Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D659
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D66B
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D67D
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D68F
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6A1
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6B3
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6C5
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6D7
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6E9
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D6FB
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D70D
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D71F
Part of subcall function 0078D63C: _free.LIBCMT ref: 0078D731

_free.LIBCMT ref: 0078DA96

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 0078DAB8
_free.LIBCMT ref: 0078DACD
_free.LIBCMT ref: 0078DAD8
_free.LIBCMT ref: 0078DAFA
_free.LIBCMT ref: 0078DB0D
_free.LIBCMT ref: 0078DB1B
_free.LIBCMT ref: 0078DB26
_free.LIBCMT ref: 0078DB5E
_free.LIBCMT ref: 0078DB65
_free.LIBCMT ref: 0078DB82
_free.LIBCMT ref: 0078DB9A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 744e477b1a06ec20ebf8e4b13a6656ad6602c414a4c73be8ab7dbb1f34c267a9
Instruction ID: c49ce0d7fff89836998707b03d6d7f8a003585d4af6746b68b34fc063111e6a8
Opcode Fuzzy Hash: 744e477b1a06ec20ebf8e4b13a6656ad6602c414a4c73be8ab7dbb1f34c267a9
Instruction Fuzzy Hash: 5D313B71684205DFEB35BA79E849B567BE9FF00321F254419E449E71A2DE3DBC818B20

Function 007B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007B369C
_wcslen.LIBCMT ref: 007B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007B3797
GetClassNameW.USER32(?,?,00000400), ref: 007B380C
GetDlgCtrlID.USER32(?), ref: 007B385D
GetWindowRect.USER32(?,?), ref: 007B3882
GetParent.USER32(?), ref: 007B38A0
ScreenToClient.USER32(00000000), ref: 007B38A7
GetClassNameW.USER32(?,?,00000100), ref: 007B3921
GetWindowTextW.USER32(?,?,00000400), ref: 007B395D

Strings

%s%u, xrefs: 007B3734

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 58b4bd614d56af36875e97d393df6c205e83c2011d9c5889668590f406e5fc24
Instruction ID: 7a459c76abe05279b9c906343d9a973543690c1daee2871c39335a881b15699b
Opcode Fuzzy Hash: 58b4bd614d56af36875e97d393df6c205e83c2011d9c5889668590f406e5fc24
Instruction Fuzzy Hash: 8991C371204706EFD719DF24C885BEAF7A8FF44354F008629F999C6190DB78EA85CBA1

Function 007B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 007B4994
GetWindowTextW.USER32(?,?,00000400), ref: 007B49DA
_wcslen.LIBCMT ref: 007B49EB
CharUpperBuffW.USER32(?,00000000), ref: 007B49F7
_wcsstr.LIBVCRUNTIME ref: 007B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 007B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 007B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 007B4B20
GetWindowRect.USER32(?,?), ref: 007B4B8B

Strings

ThumbnailClass, xrefs: 007B4A6F, 007B4AF1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cc6ed9636e854f1c18d3763373fe4c85586ddbddb366be6d960cd52a11fc9f50
Instruction ID: 92c7e11b48d2fc223c8e0d8bb790593e6f64e095ded179eac6f3075f619c6810
Opcode Fuzzy Hash: cc6ed9636e854f1c18d3763373fe4c85586ddbddb366be6d960cd52a11fc9f50
Instruction Fuzzy Hash: 9A91AC72004205DBDB05CF14C989BEB7BE8FF84754F048469FE899A196DB38ED45CBA1

Function 007E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007E8D5A
GetFocus.USER32 ref: 007E8D6A
GetDlgCtrlID.USER32(00000000), ref: 007E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007E8ECF
GetMenuItemCount.USER32(?), ref: 007E8EEC
GetMenuItemID.USER32(?,00000000), ref: 007E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007E8FA1

Strings

0, xrefs: 007E8E9F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a9a9e7fdcfa786436920677c717e45bb28f851dc6eb7b6ad18c189afe5be60cf
Instruction ID: 9a960c1ad29e2c58ca7df9c1bed8bea943e8d6a6721e1b9b9b38404ccc7380f5
Opcode Fuzzy Hash: a9a9e7fdcfa786436920677c717e45bb28f851dc6eb7b6ad18c189afe5be60cf
Instruction Fuzzy Hash: 5181F0715063819FDB50CF25C888AAB7BE9FB8C314F14491DF998DB291DB38D901CBA2

Function 007BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00821990,000000FF,00000000,00000030), ref: 007BBFAC
SetMenuItemInfoW.USER32(00821990,00000004,00000000,00000030), ref: 007BBFE1
Sleep.KERNEL32(000001F4), ref: 007BBFF3
GetMenuItemCount.USER32(?), ref: 007BC039
GetMenuItemID.USER32(?,00000000), ref: 007BC056
GetMenuItemID.USER32(?,-00000001), ref: 007BC082
GetMenuItemID.USER32(?,?), ref: 007BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007BC145

Strings

0, xrefs: 007BBF3D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5df1bb241dfaaa525e2223320351042ca964df23e6f238d3d2bccd8a746c4745
Instruction ID: 3292e7402a60a1fc2a815dfb534757fa0e4e845480ddd5e8b29152e8a98c916d
Opcode Fuzzy Hash: 5df1bb241dfaaa525e2223320351042ca964df23e6f238d3d2bccd8a746c4745
Instruction Fuzzy Hash: 33617DB090024AEFDF22DF68CC88BFEBBA8EB05344F108055E951A7291D779AD15CB61

Function 007BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007BDC46
_wcslen.LIBCMT ref: 007BDC50
_wcsstr.LIBVCRUNTIME ref: 007BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007BDCBC

Strings

%u.%u.%u.%u, xrefs: 007BDD9A
StringFileInfo\, xrefs: 007BDC8F
04090000, xrefs: 007BDCF2
DefaultLangCodepage, xrefs: 007BDD1F
\VarFileInfo\Translation, xrefs: 007BDCB4

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c3357d9109f60215620312cee772c062f51126c204d2c0048425ebafd71f1116
Instruction ID: a61d07357cb3f6ab64269f687f03e9d303cf6dcd330c1c34116650c474f3d99c
Opcode Fuzzy Hash: c3357d9109f60215620312cee772c062f51126c204d2c0048425ebafd71f1116
Instruction Fuzzy Hash: 3B412472A41201BADB21A7749C4BFFF3B6CEF45750F10406AFA05E6182FB7D9D0286A4

Function 007DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007DCD48

Part of subcall function 007DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007DCCAA
Part of subcall function 007DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007DCCBD
Part of subcall function 007DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007DCCCF
Part of subcall function 007DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007DCD05
Part of subcall function 007DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007DCCF3

Strings

RegDeleteKeyExW, xrefs: 007DCCC9
advapi32.dll, xrefs: 007DCCB8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4bbd3f2570bcef449a8ae5f10aeb19ab0c4a80102c1b8fe12a8605c775f156e4
Instruction ID: 62b3f0f80dc34f41248907b6547a86b55b84f48dc283d9b62ba5cb8f6b816d84
Opcode Fuzzy Hash: 4bbd3f2570bcef449a8ae5f10aeb19ab0c4a80102c1b8fe12a8605c775f156e4
Instruction Fuzzy Hash: 7A3192B5A02129BBDB228B54DC88EFFBB7DEF05740F004166F905E6240D7389E46DAB4

Function 007C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007C3D40
_wcslen.LIBCMT ref: 007C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 007C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 007C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007C3E55
CloseHandle.KERNEL32(00000000), ref: 007C3E60
CloseHandle.KERNEL32(00000000), ref: 007C3E6B

Strings

:, xrefs: 007C3D82
\, xrefs: 007C3D77
\??\%s, xrefs: 007C3D5B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: fa399f4c3f0003ee6e75d147fd914d61842d3d17deddceae64ebd9e65842410b
Instruction ID: 88e79248c7aa935a1d96e7512750ef87daa8b72ee12a3ac04f547fd5c8c38bc3
Opcode Fuzzy Hash: fa399f4c3f0003ee6e75d147fd914d61842d3d17deddceae64ebd9e65842410b
Instruction Fuzzy Hash: 8F31B675A00249ABDB21DBA0DC89FEF37BCEF88740F1081B9F609D6150E77897458B24

Function 007BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007BE6B4

Part of subcall function 0076E551: timeGetTime.WINMM(?,?,007BE6D4), ref: 0076E555

Sleep.KERNEL32(0000000A), ref: 007BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 007BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007BE727
SetActiveWindow.USER32 ref: 007BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 007BE773
Sleep.KERNEL32(000000FA), ref: 007BE77E
IsWindow.USER32 ref: 007BE78A
EndDialog.USER32(00000000), ref: 007BE79B

Strings

BUTTON, xrefs: 007BE719

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d35a99b901f4b94996418906fe3f01a25b4eb56644e835ffef1f6bc1d5c81fbd
Instruction ID: 8665555371c52ee27d1f37aaac5e9b0a3d2d873ff79b5a4cc9c89e16957c0a2e
Opcode Fuzzy Hash: d35a99b901f4b94996418906fe3f01a25b4eb56644e835ffef1f6bc1d5c81fbd
Instruction Fuzzy Hash: E92187B5201244BFEB119F60ECCDBA63B69FB69348B10D424F915953A1DF7D9C128B18

Function 007BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007BEAA7

Strings

open , xrefs: 007BEA0C
status PlayMe mode, xrefs: 007BEA58
close PlayMe, xrefs: 007BEA6E, 007BEA9B
play PlayMe wait, xrefs: 007BEA91
alias PlayMe, xrefs: 007BEA36
play PlayMe, xrefs: 007BEAA2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a790d483fb4af1709e780c3baaf8c4bcfe7ae400829fc3f6bc6581c665ef3bb4
Instruction ID: 0c7f1a7a64ce57f1e8bf83efd231d32229d7a17faf5a2d9f16ee63aabea07270
Opcode Fuzzy Hash: a790d483fb4af1709e780c3baaf8c4bcfe7ae400829fc3f6bc6581c665ef3bb4
Instruction Fuzzy Hash: EC11A331A50259BAD720A7A1DC4AEFF6E7CFFD1B00F000429B821E21D1EEB81D99C5B0

Function 007B9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007BA012
SetKeyboardState.USER32(?), ref: 007BA07D
GetAsyncKeyState.USER32(000000A0), ref: 007BA09D
GetKeyState.USER32(000000A0), ref: 007BA0B4
GetAsyncKeyState.USER32(000000A1), ref: 007BA0E3
GetKeyState.USER32(000000A1), ref: 007BA0F4
GetAsyncKeyState.USER32(00000011), ref: 007BA120
GetKeyState.USER32(00000011), ref: 007BA12E
GetAsyncKeyState.USER32(00000012), ref: 007BA157
GetKeyState.USER32(00000012), ref: 007BA165
GetAsyncKeyState.USER32(0000005B), ref: 007BA18E
GetKeyState.USER32(0000005B), ref: 007BA19C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6527180b99bd370e6c60e96eb0fbaa292a311c2b598beca369594e864beb4989
Instruction ID: a42d8e041e033ce8c7e47edbcb7ef08ddc94c009c50cb4f9c8a175578a043a9c
Opcode Fuzzy Hash: 6527180b99bd370e6c60e96eb0fbaa292a311c2b598beca369594e864beb4989
Instruction Fuzzy Hash: 0351BA2090478C79FB35FB7488557EBBFB59F12380F088599D6C25B1C2EA5CAA4CC762

Function 007B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007B5CE2
GetWindowRect.USER32(00000000,?), ref: 007B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007B5D59
GetDlgItem.USER32(?,00000002), ref: 007B5D69
GetWindowRect.USER32(00000000,?), ref: 007B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 007B5DCF
GetDlgItem.USER32(?,000003E9), ref: 007B5DDD
GetWindowRect.USER32(00000000,?), ref: 007B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007B5E31
GetDlgItem.USER32(?,000003EA), ref: 007B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 007B5E67

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5b18db3197c7d499d80d33440c1d01b6c1de07b4ed4610076ac9418b355c19fc
Instruction ID: 34278ff563d1376f050bd6e660101956867d7501f52bb6fb9ca8a8b8ffdfa002
Opcode Fuzzy Hash: 5b18db3197c7d499d80d33440c1d01b6c1de07b4ed4610076ac9418b355c19fc
Instruction Fuzzy Hash: 77512D74B00605AFDF19CF68CD89BAEBBB5FB48300F148229F915E6290D7749E01CB50

Function 00768BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00768F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00768BE8,?,00000000,?,?,?,?,00768BBA,00000000,?), ref: 00768FC5

DestroyWindow.USER32(?), ref: 00768C81
KillTimer.USER32(00000000,?,?,?,?,00768BBA,00000000,?), ref: 00768D1B
DestroyAcceleratorTable.USER32(00000000), ref: 007A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00768BBA,00000000,?), ref: 007A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00768BBA,00000000,?), ref: 007A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00768BBA,00000000), ref: 007A69D4
DeleteObject.GDI32(00000000), ref: 007A69E6

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5223d3faa9fa86eea25d5c4d6302d5fe1b748a6ea4305ef0b58872cf9fb41fbe
Instruction ID: 32c2c63578f4ccc1689a23d84648fb686d63b8fe8f0c0bbabf2f9f10f2e7a0c4
Opcode Fuzzy Hash: 5223d3faa9fa86eea25d5c4d6302d5fe1b748a6ea4305ef0b58872cf9fb41fbe
Instruction Fuzzy Hash: 5A619E35102700DFCB769F24C958B26BBF1FB95312F24865CE4439A660CB39A8D2CF66

Function 00769838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00769944: GetWindowLongW.USER32(?,000000EB), ref: 00769952

GetSysColor.USER32(0000000F), ref: 00769862

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b1342b085f1cfe53716ecd17ee2dd3ec5ac089fb914b6357f017fb19b8f792f8
Instruction ID: 88d8b5f51186bb72fd28c1b002be381b84dec39a9907d0541af0f76b5ba3e5bc
Opcode Fuzzy Hash: b1342b085f1cfe53716ecd17ee2dd3ec5ac089fb914b6357f017fb19b8f792f8
Instruction Fuzzy Hash: 3041A035505744DFDB215F389C88BB93B69BB4A330F248609FAA38B1E1D7389C42DB10

Function 00788D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.w, xrefs: 0078903A, 00788FD0, 00788FF2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: .w
API String ID: 0-1741142609
Opcode ID: 664a140f28b80ba8da4a7fd131184f5296551d4bf746d01a23fab6e35bfd7333
Instruction ID: 493a7ec192b2df424ce38ac8ff79ddfae3db9d6b6db59b6362a3b8deac6b29d6
Opcode Fuzzy Hash: 664a140f28b80ba8da4a7fd131184f5296551d4bf746d01a23fab6e35bfd7333
Instruction Fuzzy Hash: 70C1D675984249EFDF11EFA8C845BBDBBB0BF09310F184159E614AB393C7389941CB61

Function 007B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0079F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 007B9717
LoadStringW.USER32(00000000,?,0079F7F8,00000001), ref: 007B9720

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0079F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 007B9742
LoadStringW.USER32(00000000,?,0079F7F8,00000001), ref: 007B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 007B9866

Strings

^ ERROR, xrefs: 007B97FB
%s (%d) : ==> %s: %s %s, xrefs: 007B984A
Line %d:, xrefs: 007B97A0
Line %d (File "%s"):, xrefs: 007B978F
Error: , xrefs: 007B981D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: d95bb0b1add9b824dc9dbe5f576cab7929b35e16d13cd36720319827880703c5
Instruction ID: a242af9bbd788fee2879c3d21a3905d9e2188e2ab89ce0802a745a0a1c9d1219
Opcode Fuzzy Hash: d95bb0b1add9b824dc9dbe5f576cab7929b35e16d13cd36720319827880703c5
Instruction Fuzzy Hash: 14414E72800219EADF04EBE0DD8AEEEB779EF14341F500465FA1572092EB796F49CB61

Function 007B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 007B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007B083C

Strings

\CLSID, xrefs: 007B0724
\IPC$, xrefs: 007B0784
SOFTWARE\Classes\, xrefs: 007B070E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9a80c0cef63536cacf9e4f246789c07b7359837f79ec8b93b8605f6057965ed2
Instruction ID: 50b7c98d8209cef27d40f0a3142bf44937242c37114fa38b585d2f2f4361c2a4
Opcode Fuzzy Hash: 9a80c0cef63536cacf9e4f246789c07b7359837f79ec8b93b8605f6057965ed2
Instruction Fuzzy Hash: CF412876C10228EBDF11EBA4DC999EEB778FF04350B044129F915A7161EB78AE08CB90

Function 007E3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007E403B
CreateCompatibleDC.GDI32(00000000), ref: 007E4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007E4055
SelectObject.GDI32(00000000,00000000), ref: 007E405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 007E4068
DeleteDC.GDI32(00000000), ref: 007E4072
GetWindowLongW.USER32(?,000000EC), ref: 007E407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 007E4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 007E409E

Strings

static, xrefs: 007E3FD3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 70eb73d863b5003e1b59f468f196c864ff0dc84c307a4b3b81e2068b234e4f0b
Instruction ID: fef9d68f5e7ad30a09dbfb2540f0b4938a6170c6f6868a6cb2402ddd023a5da3
Opcode Fuzzy Hash: 70eb73d863b5003e1b59f468f196c864ff0dc84c307a4b3b81e2068b234e4f0b
Instruction Fuzzy Hash: 37318176502299AFDF229F65CC49FDA3B68FF0D324F104220FA18EA1A0D779D821DB54

Function 007D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007D3C5C
CoInitialize.OLE32(00000000), ref: 007D3C8A
CoUninitialize.OLE32 ref: 007D3C94
_wcslen.LIBCMT ref: 007D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007D3F0E
CoGetObject.OLE32(?,00000000,007EFB98,?), ref: 007D3F2D
SetErrorMode.KERNEL32(00000000), ref: 007D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007D3FC4
VariantClear.OLEAUT32(?), ref: 007D3FD8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: dcff378920750cc4776d951d28fb9f5c0e57a26338a07dd6a46400c563f5dcfd
Instruction ID: 2e88a638df666002df90717020893be1fb740680474b7dfd02359159f3f236ba
Opcode Fuzzy Hash: dcff378920750cc4776d951d28fb9f5c0e57a26338a07dd6a46400c563f5dcfd
Instruction Fuzzy Hash: 05C133716082459FD700DF68C88496BBBF9FF89744F04491EF98A9B250D774EE06CB62

Function 007C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 007C7BA3
CoCreateInstance.OLE32(007EFD08,00000000,00000001,00816E6C,?), ref: 007C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007C7C74
CoTaskMemFree.OLE32(?,?), ref: 007C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 007C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007C7D7A
CoTaskMemFree.OLE32(00000000), ref: 007C7D81
CoTaskMemFree.OLE32(00000000), ref: 007C7DD6
CoUninitialize.OLE32 ref: 007C7DDC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 6874846263da5200b109129fc39ac1882e10ab4cc59bc1f6e87b928f9546158f
Instruction ID: 7b7442dadb01e9c819eaa299692f7c116b0079889ecf9bdc73a046fbd94e14ce
Opcode Fuzzy Hash: 6874846263da5200b109129fc39ac1882e10ab4cc59bc1f6e87b928f9546158f
Instruction Fuzzy Hash: A0C11A75A04149EFCB14DFA4C888DAEBBB9FF48314B14849DE81A9B261DB34ED45CF90

Function 007E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007E5515
CharNextW.USER32(00000158), ref: 007E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007E55AC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1e6a08d1b249f3c42e7c39afcccdc9113e3807dec087a4d9973e837559ace6e5
Instruction ID: e47c53ac8f7225ecb05331f8880e4c7946926306cbc4eb58639d8a082c47e0c1
Opcode Fuzzy Hash: 1e6a08d1b249f3c42e7c39afcccdc9113e3807dec087a4d9973e837559ace6e5
Instruction Fuzzy Hash: 3661BF3490268DEFDF108F56CC84DFE7B79EB0E328F108145F925AA291D7789A81DB60

Function 007AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 007AFB08
VariantInit.OLEAUT32(?), ref: 007AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 007AFB3A
VariantCopy.OLEAUT32(?,?), ref: 007AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 007AFBA1
VariantClear.OLEAUT32(?), ref: 007AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 007AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007AFBCC
VariantClear.OLEAUT32(?), ref: 007AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007AFBE9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 26600b489e79056a4d7460f928229a684dd78f666ef05325b6aef7f3c43843cb
Instruction ID: d001b97e54b342c5f2239b2bd2001ee64bfbf03296e2746ebe6bed5c9301a070
Opcode Fuzzy Hash: 26600b489e79056a4d7460f928229a684dd78f666ef05325b6aef7f3c43843cb
Instruction Fuzzy Hash: 75415375900259DFCB01DFA4C8989EDBBB9FF49354F008169F915AB261C738A946CBA0

Function 007B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 007B9D22
GetKeyState.USER32(000000A0), ref: 007B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 007B9D57
GetKeyState.USER32(000000A1), ref: 007B9D6C
GetAsyncKeyState.USER32(00000011), ref: 007B9D84
GetKeyState.USER32(00000011), ref: 007B9D96
GetAsyncKeyState.USER32(00000012), ref: 007B9DAE
GetKeyState.USER32(00000012), ref: 007B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 007B9DD8
GetKeyState.USER32(0000005B), ref: 007B9DEA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fd43d87e229d1b0cb0e338e3a9334c7b1114df9be8b050f8cb18793c07185ff9
Instruction ID: cb3ef5c18d660efba3cf91d20526c0eb3d470d11a40cb4db3cc9c96e80f18387
Opcode Fuzzy Hash: fd43d87e229d1b0cb0e338e3a9334c7b1114df9be8b050f8cb18793c07185ff9
Instruction Fuzzy Hash: 4841F8346047C96DFF31877188443F5FEA06F15344F44805ADBD65A6C2EBACA9D8CBA2

Function 007D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007D05BC
inet_addr.WSOCK32(?), ref: 007D061C
gethostbyname.WSOCK32(?), ref: 007D0628
IcmpCreateFile.IPHLPAPI ref: 007D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007D07B9
WSACleanup.WSOCK32 ref: 007D07BF

Strings

Ping, xrefs: 007D0676

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 097bcf51af19450fb94fa047af3d2dbc99f4891c3b56cd025fc7ac184fb269ac
Instruction ID: fd809523ba282e375697ac9bed36c328afb94523116b384f6b9a66491d32a606
Opcode Fuzzy Hash: 097bcf51af19450fb94fa047af3d2dbc99f4891c3b56cd025fc7ac184fb269ac
Instruction Fuzzy Hash: F0915B756042419FD720CF15D488B1ABBF0AF48328F1495AAE86A8F7A2C778ED45CFD1

Function 007D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007D8CF3

Part of subcall function 007B8E54: _wcslen.LIBCMT ref: 007B8E77

_wcslen.LIBCMT ref: 007D8D4E
_wcslen.LIBCMT ref: 007D8D9C
_wcslen.LIBCMT ref: 007D8DDC
_wcslen.LIBCMT ref: 007D8E6E

Strings

cdecl, xrefs: 007D8D48, 007D8D4D
none, xrefs: 007D8E65, 007D8E6A
winapi, xrefs: 007D8D96, 007D8D9B
stdcall, xrefs: 007D8DD6, 007D8DDB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c861ad5ae0e09a199473329440e225b44e1c274b4ca9b189616cd59a571eed7d
Instruction ID: ebd5d10fbd0c82c84d234a29a3e8f137879256a10ce6388c062450773584c56e
Opcode Fuzzy Hash: c861ad5ae0e09a199473329440e225b44e1c274b4ca9b189616cd59a571eed7d
Instruction Fuzzy Hash: F451B431A00116DBCF54DF68C9409BEB7B6BF64714B24422AE926E73C5DB38DD44CB91

Function 007D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007D3774
CoUninitialize.OLE32 ref: 007D377F
CoCreateInstance.OLE32(?,00000000,00000017,007EFB78,?), ref: 007D37D9
IIDFromString.OLE32(?,?), ref: 007D384C
VariantInit.OLEAUT32(?), ref: 007D38E4
VariantClear.OLEAUT32(?), ref: 007D3936

Strings

NULL Pointer assignment, xrefs: 007D381E
Failed to create object, xrefs: 007D37E4, 007D389A
Invalid parameter, xrefs: 007D3865

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a9bdeb2f4df4398c838cfe805f516f183ac2fa9af2b1bfab298429ee3190868e
Instruction ID: b9dec24aff2e2ca272a076f53e2771528a3221b8df1c02b37b5b4be42d6fd02a
Opcode Fuzzy Hash: a9bdeb2f4df4398c838cfe805f516f183ac2fa9af2b1bfab298429ee3190868e
Instruction Fuzzy Hash: 47619D70608701EFD311DF54C889B9ABBF8AF49714F00480AF9959B391D778EE49DBA2

Function 007C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007C33CF

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007C33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 007C3522
Incorrect parameters to object property !, xrefs: 007C34AB
Line %d (File "%s"):, xrefs: 007C3443, 007C345C
"%s" (%d) : ==> %s:%s%s, xrefs: 007C3504
^ ERROR , xrefs: 007C349E
Error: , xrefs: 007C34D1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2032b2f0920f1bf04486334a224f39251d5a09622690b297942a165b4db3be1d
Instruction ID: c5fdedbf9fee3793f56bd2745b9d267af9bda4a9064faae14687a1778e2629a1
Opcode Fuzzy Hash: 2032b2f0920f1bf04486334a224f39251d5a09622690b297942a165b4db3be1d
Instruction Fuzzy Hash: 55518271900209EADF15EBA0DD4AEEEB779FF14341F208065F91572162EB792F58CB60

Function 007BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007BB5FC
_wcslen.LIBCMT ref: 007BB608
_wcslen.LIBCMT ref: 007BB64D
_wcslen.LIBCMT ref: 007BB68C
_wcslen.LIBCMT ref: 007BB6C7

Strings

EXISTS, xrefs: 007BB686, 007BB68B
KEYS, xrefs: 007BB647, 007BB64C
REMOVE, xrefs: 007BB602, 007BB607
APPEND, xrefs: 007BB6C1, 007BB6C6

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f5a17f5eca9147da15f00bf30c76f4ce2ace99b666abece9290de165f9f72be0
Instruction ID: e98963ea2d2af16a5752c39d1f2308c9b27431991bfb6dc2c81c1b6aa235245e
Opcode Fuzzy Hash: f5a17f5eca9147da15f00bf30c76f4ce2ace99b666abece9290de165f9f72be0
Instruction Fuzzy Hash: AB41E732A000269BCB205F7D8C906FE77A5BFA075CB24422AED65DB284F779DD81C790

Function 007C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007C5416
GetLastError.KERNEL32 ref: 007C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 007C54A7

Strings

READY, xrefs: 007C5460, 007C5468
NOTREADY, xrefs: 007C544B
INVALID, xrefs: 007C5459
UNKNOWN, xrefs: 007C5444
READONLY, xrefs: 007C5452

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8f7b291d7f291f485794449643cd8c77ce8d30fb37f70e9cc321b31e2e9820c0
Instruction ID: c6b51b5f5b7129946de2caf3ec893cba5c7659a16de518e899b03b450b5def02
Opcode Fuzzy Hash: 8f7b291d7f291f485794449643cd8c77ce8d30fb37f70e9cc321b31e2e9820c0
Instruction Fuzzy Hash: C4318F75A005449FC714DF68C888FE97BA8EF45305F14805DE905CB292EB7AEEC6CB90

Function 007E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007E3C79
SetMenu.USER32(?,00000000), ref: 007E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007E3D10
IsMenu.USER32(?), ref: 007E3D24
CreatePopupMenu.USER32 ref: 007E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007E3D5B
DrawMenuBar.USER32 ref: 007E3D63

Strings

F, xrefs: 007E3D4E
0, xrefs: 007E3C54

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 45fc85f0a6650919669a7c54780105b2376d312e27c97dc33c4c6fb44a92576b
Instruction ID: 57757282a18531956533b49cae35e911eac86c5af520ee5dd63cf6c8fc1f9ade
Opcode Fuzzy Hash: 45fc85f0a6650919669a7c54780105b2376d312e27c97dc33c4c6fb44a92576b
Instruction Fuzzy Hash: 95418C78A02249EFDF14CF65D888AAA7BB5FF49340F144029E9169B360D734AA21CF94

Function 007B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 007B1F64
GetDlgCtrlID.USER32 ref: 007B1F6F
GetParent.USER32 ref: 007B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 007B1F8E
GetDlgCtrlID.USER32(?), ref: 007B1F97
GetParent.USER32(?), ref: 007B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 007B1FAE

Strings

ComboBox, xrefs: 007B1EEC
ListBox, xrefs: 007B1F21

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b81e42f9519265db5690382995ccf7ba997ffdc0a1665276ccac1c7b49414d11
Instruction ID: 4e63cc13cdca2ea5e5fcecfbe9184b2ea3f7a7e2987bc6320fc46633c38ee121
Opcode Fuzzy Hash: b81e42f9519265db5690382995ccf7ba997ffdc0a1665276ccac1c7b49414d11
Instruction Fuzzy Hash: FD21DE74901214FFCF01AFA4CC99AFEBBB8EF09310B904585F961A72A1CB7C5909CB60

Function 007B1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 007B2043
GetDlgCtrlID.USER32 ref: 007B204E
GetParent.USER32 ref: 007B206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007B206D
GetDlgCtrlID.USER32(?), ref: 007B2076
GetParent.USER32(?), ref: 007B208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007B208D

Strings

ComboBox, xrefs: 007B1FCD
ListBox, xrefs: 007B2002

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 34c3c6946f929834c992d1319174c89f5283c4bd6a7b4f93f63c0eab6dc19943
Instruction ID: 3867c5ad19e9d63086dafbe2ab943356b810182a586afbf04a25648ab48f2510
Opcode Fuzzy Hash: 34c3c6946f929834c992d1319174c89f5283c4bd6a7b4f93f63c0eab6dc19943
Instruction Fuzzy Hash: 0621D475901214FBDF11AFA4CC89EEEBBB8EF09300F104445F961A72A2CB7D5959DB60

Function 007E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007E3C13

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3d504042ba79ca30ed416f0e9d892663fcee1440e6ee81fe238e90139580ecb1
Instruction ID: 2fdb8827ba8e8e3a43cf2999f39403930b456400cf934627c4930708d39145fe
Opcode Fuzzy Hash: 3d504042ba79ca30ed416f0e9d892663fcee1440e6ee81fe238e90139580ecb1
Instruction Fuzzy Hash: 2D615D75901248AFDB10DF68CC85EEE77B8EB09700F204199FA15A72A1D774AE85DB60

Function 007BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB165
GetWindowThreadProcessId.USER32(00000000), ref: 007BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 007BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007BA1E1,?,00000001), ref: 007BB21D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 79a21032e6f361694a1e7c2ea89a3d930010f7ff3420ec68fbef229ac9fe3e1d
Instruction ID: 2578b47786d37c58165c4e18b82d93a5e0d2bbe8eb29dd7577b282b4c65c1c9c
Opcode Fuzzy Hash: 79a21032e6f361694a1e7c2ea89a3d930010f7ff3420ec68fbef229ac9fe3e1d
Instruction Fuzzy Hash: 2D318975600608AFDB219F64DC99FEE7BA9BB95311F108009FE11DA190D7BC9E428F74

Function 00782C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00782C94

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 00782CA0
_free.LIBCMT ref: 00782CAB
_free.LIBCMT ref: 00782CB6
_free.LIBCMT ref: 00782CC1
_free.LIBCMT ref: 00782CCC
_free.LIBCMT ref: 00782CD7
_free.LIBCMT ref: 00782CE2
_free.LIBCMT ref: 00782CED
_free.LIBCMT ref: 00782CFB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d0adbd796348f9008d6e7fbcb91e753683a55f74d617d850ca2ef43375f66554
Instruction ID: 7f88800e468d41c6c7cc55eddb4b4fc5758c5ff2a2ef2a223417ef47108efb43
Opcode Fuzzy Hash: d0adbd796348f9008d6e7fbcb91e753683a55f74d617d850ca2ef43375f66554
Instruction Fuzzy Hash: 54119476140108EFCB02FF54D846CDD3BA5BF05361F5244A5FA486B232D639FA519F90

Function 007C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 007C7FC1
GetFileAttributesW.KERNEL32(?), ref: 007C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 007C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 007C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 007C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007C80B0

Strings

*.*, xrefs: 007C8066

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: df3039172e845eaf9cfdb3c2eef25d1e8f287d945517b46f1d4741842623aa10
Instruction ID: 63196a5bbbcc413cefe412574fa900889893e7ed2930549e2b09cc6b5a337390
Opcode Fuzzy Hash: df3039172e845eaf9cfdb3c2eef25d1e8f287d945517b46f1d4741842623aa10
Instruction Fuzzy Hash: 638190725082459BCB28DF14C884EAAB3E8BF89350F54885EF885D7250EB78ED49CF52

Function 00755BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00755C7A

Part of subcall function 00755D0A: GetClientRect.USER32(?,?), ref: 00755D30
Part of subcall function 00755D0A: GetWindowRect.USER32(?,?), ref: 00755D71
Part of subcall function 00755D0A: ScreenToClient.USER32(?,?), ref: 00755D99

GetDC.USER32 ref: 007946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00794708
SelectObject.GDI32(00000000,00000000), ref: 00794716
SelectObject.GDI32(00000000,00000000), ref: 0079472B
ReleaseDC.USER32(?,00000000), ref: 00794733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007947C4

Strings

U, xrefs: 00794693

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 430a3a9c0723d2f49b4cf6c3915333a1a15e51333304169246d3b1d11836f857
Instruction ID: 976e137ce77f457fd38d7552971a6399f42a2afcdb5bcc932badf97873640a14
Opcode Fuzzy Hash: 430a3a9c0723d2f49b4cf6c3915333a1a15e51333304169246d3b1d11836f857
Instruction Fuzzy Hash: 8071F235500209DFCF218FA4D984EFA3BB5FF4A365F144269ED515A2A6C3399C42DF60

Function 007C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007C35E4

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

LoadStringW.USER32(00822390,?,00000FFF,?), ref: 007C360A

Strings

^ ERROR, xrefs: 007C36C9
"%s" (%d) : ==> %s:, xrefs: 007C3742
Line %d (File "%s"):, xrefs: 007C366B
"%s" (%d) : ==> %s:%s%s, xrefs: 007C3724
Error: , xrefs: 007C36EF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 562041c75dfee6998e598d103644832baf81040861a6acf988e4f15c258b13e7
Instruction ID: a618643bdf26ce400509839c17f3108a29d848b76914f85992ac67a5ac5c654d
Opcode Fuzzy Hash: 562041c75dfee6998e598d103644832baf81040861a6acf988e4f15c258b13e7
Instruction Fuzzy Hash: 4C517271800109FADF15EBA0CC8AEEDBB79EF14341F144129F615721A1EB792A99DF60

Function 007E8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

Part of subcall function 0076912D: GetCursorPos.USER32(?), ref: 00769141
Part of subcall function 0076912D: ScreenToClient.USER32(00000000,?), ref: 0076915E
Part of subcall function 0076912D: GetAsyncKeyState.USER32(00000001), ref: 00769183
Part of subcall function 0076912D: GetAsyncKeyState.USER32(00000002), ref: 0076919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 007E8B6B
ImageList_EndDrag.COMCTL32 ref: 007E8B71
ReleaseCapture.USER32 ref: 007E8B77
SetWindowTextW.USER32(?,00000000), ref: 007E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007E8CFF

Strings

@GUI_DROPID, xrefs: 007E8C51
@GUI_DRAGFILE, xrefs: 007E8C9A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 71e9d577218005c05e8aed4f9c4b13dbd4b8bd28cb212e56d7e12716aa301c54
Instruction ID: d4db06a090745c72a8ffee77e819fcbc2e615aa7fc420fc90bc520b5f385decb
Opcode Fuzzy Hash: 71e9d577218005c05e8aed4f9c4b13dbd4b8bd28cb212e56d7e12716aa301c54
Instruction Fuzzy Hash: 1D51AB71105340AFDB00DF24DC9AFAA77E4FB88714F50062DF956A72E1CB78A949CB62

Function 007CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007CC2CA
GetLastError.KERNEL32 ref: 007CC322
SetEvent.KERNEL32(?), ref: 007CC336
InternetCloseHandle.WININET(00000000), ref: 007CC341

Strings

, xrefs: 007CC2BB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a0bd03fa9ba6039ff7f9a3b25906169bb06cc5d2ceff9ccc94c807d860bec278
Instruction ID: bce0b7f092310f6ed6ce5d97bb171f0617392c19bea10e027330ed8d702472b2
Opcode Fuzzy Hash: a0bd03fa9ba6039ff7f9a3b25906169bb06cc5d2ceff9ccc94c807d860bec278
Instruction Fuzzy Hash: 87319CB1600248AFD7229FA49C88FAB7BFCEB49740F14851EF44AD6201DB38DD458B66

Function 007B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00793AAF,?,?,Bad directive syntax error,007ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007B98BC
LoadStringW.USER32(00000000,?,00793AAF,?), ref: 007B98C3

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007B9987

Strings

., xrefs: 007B996D
%s (%d) : ==> %s.: %s %s, xrefs: 007B98F1
Line %d:, xrefs: 007B9912
Line %d (File "%s"):, xrefs: 007B992D
Error: , xrefs: 007B9955

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b34787e2305cf734a755080862c113b00cbe8f946e3181a62c8702801d501e92
Instruction ID: bc3730ba356615967969a93716e8932d69462f6dee9090bd2e8d83e36845a811
Opcode Fuzzy Hash: b34787e2305cf734a755080862c113b00cbe8f946e3181a62c8702801d501e92
Instruction Fuzzy Hash: 4E21A831D0021DEBDF11AF90CC0AEEE7739FF18301F044465FA29650A2EB79A668CB10

Function 007B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007B214D

Strings

details, xrefs: 007B20FB
list, xrefs: 007B212F
SHELLDLL_DefView, xrefs: 007B20CC
largeicons, xrefs: 007B20E1
smallicons, xrefs: 007B2115

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 338c82036356991bab66108bd68595a9364420994d2cdbd5a79ee93caa36c12c
Instruction ID: f0262a3ba7a5e930d4b7965c8b610872f9e914ddb5968a462576f84b1178b1ca
Opcode Fuzzy Hash: 338c82036356991bab66108bd68595a9364420994d2cdbd5a79ee93caa36c12c
Instruction Fuzzy Hash: 58110A7A68970EF9FA012228DC0AEE7379CDF44764B208016FB04F91D3FB6D58435614

Function 0078CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0078CEB7
_free.LIBCMT ref: 0078CF22
_free.LIBCMT ref: 0078CF48
_free.LIBCMT ref: 0078CF71
_free.LIBCMT ref: 0078CFA9
_free.LIBCMT ref: 0078CFDA
_free.LIBCMT ref: 0078D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0078D09C
_free.LIBCMT ref: 0078D0B5

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 65cc830188d2e38c30ba3d4c6395b5b4bd57b2e886d5fb5ed1e8e2695be42b41
Instruction ID: c6c9f161b03c1b76382a3b611ec1f84c6771b4d3a650fd00de9fe6c12a7f09f4
Opcode Fuzzy Hash: 65cc830188d2e38c30ba3d4c6395b5b4bd57b2e886d5fb5ed1e8e2695be42b41
Instruction Fuzzy Hash: B0613D72985301EFEF32BFB49845A6D7B95EF05320F14416EFA44A7283D63D9D029B60

Function 00768B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 007A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00768874,00000000,00000000,00000000,000000FF,00000000), ref: 007A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00768874,00000000,00000000,00000000,000000FF,00000000), ref: 007A692D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 93c388978f29d616193ddf5b0b7378b79b7972705f0565612bba6f1d977b4cda
Instruction ID: 1c1256a40e3979f79fb0dc8e699154461dbaa66c2a1bdce03081be67f7362d89
Opcode Fuzzy Hash: 93c388978f29d616193ddf5b0b7378b79b7972705f0565612bba6f1d977b4cda
Instruction Fuzzy Hash: AE518CB0600209EFDB20CF24CC95FAA7BB5FB99750F144618F916972A0DB78E991DB50

Function 007CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007CC182
GetLastError.KERNEL32 ref: 007CC195
SetEvent.KERNEL32(?), ref: 007CC1A9

Part of subcall function 007CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007CC272
Part of subcall function 007CC253: GetLastError.KERNEL32 ref: 007CC322
Part of subcall function 007CC253: SetEvent.KERNEL32(?), ref: 007CC336
Part of subcall function 007CC253: InternetCloseHandle.WININET(00000000), ref: 007CC341

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 474021f7f1eed65cf6970d93d7fa6acd74609182273b6a2097e76f6eb9c114f3
Instruction ID: 58007df038977dd0b20035028993e7ab8b1ec2968ee67f0917ced986d8aeaa68
Opcode Fuzzy Hash: 474021f7f1eed65cf6970d93d7fa6acd74609182273b6a2097e76f6eb9c114f3
Instruction Fuzzy Hash: FC318D75601645EFDB229FA5DC48F66BBFDFF18300B04841DF95A8A610D738E8159BA0

Function 007B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007B3A57
Part of subcall function 007B3A3D: GetCurrentThreadId.KERNEL32 ref: 007B3A5E
Part of subcall function 007B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007B25B3), ref: 007B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 007B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007B2627

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 605ccd60abc8c64c176ee70bd36fb8475b510467c24f12c9595d703aa9bea6db
Instruction ID: 5acac858dc09c6b034be0a2d8cb42b4ab3fd6ba4f0250f04032dad1cfb4bd2b3
Opcode Fuzzy Hash: 605ccd60abc8c64c176ee70bd36fb8475b510467c24f12c9595d703aa9bea6db
Instruction Fuzzy Hash: 6801D470391254BBFB2067699CCEF9A3F59DF4EB12F104051F318AE0D1C9FA28468A6D

Function 007B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,007B1449,?,?,00000000), ref: 007B180C
HeapAlloc.KERNEL32(00000000,?,007B1449,?,?,00000000), ref: 007B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007B1449,?,?,00000000), ref: 007B1828
GetCurrentProcess.KERNEL32(?,00000000,?,007B1449,?,?,00000000), ref: 007B1830
DuplicateHandle.KERNEL32(00000000,?,007B1449,?,?,00000000), ref: 007B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007B1449,?,?,00000000), ref: 007B1843
GetCurrentProcess.KERNEL32(007B1449,00000000,?,007B1449,?,?,00000000), ref: 007B184B
DuplicateHandle.KERNEL32(00000000,?,007B1449,?,?,00000000), ref: 007B184E
CreateThread.KERNEL32(00000000,00000000,007B1874,00000000,00000000,00000000), ref: 007B1868

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 85ee3f35678250ebf8b8826b1f33af401f5aa14d2f2386ea856c7772fa96d8fe
Instruction ID: 390643100e6bb9c795177f14fb4c706278b97d1954a2d4a96733ad2e2984c4d3
Opcode Fuzzy Hash: 85ee3f35678250ebf8b8826b1f33af401f5aa14d2f2386ea856c7772fa96d8fe
Instruction Fuzzy Hash: 0001BFB5241348BFE711AB65DC8EF573B6CEB89B11F418411FA05DF191C6749C01CB24

Function 00783E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00783F0B
__alldvrm.LIBCMT ref: 0078410C
__alldvrm.LIBCMT ref: 0078412E

Strings

}}w, xrefs: 00783E96, 00783EF1, 00783F0A, 00784090
}}w, xrefs: 007840CD
}}w, xrefs: 00783E8A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}w$}}w$}}w
API String ID: 1036877536-3791704549
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e0eeaadaf9db1030132cbe9070e642d4aa8dc1b8542b4bcbaa742c8ec87be787
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 5CA16B72E803879FDB11EF18C8957AEBBE5EF61350F1441ADE6859B282C67C8D41C790

Function 007DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 007BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 007BD501
Part of subcall function 007BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 007BD50F
Part of subcall function 007BD4DC: CloseHandle.KERNELBASE(00000000), ref: 007BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007DA16D
GetLastError.KERNEL32 ref: 007DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007DA268
GetLastError.KERNEL32(00000000), ref: 007DA273
CloseHandle.KERNEL32(00000000), ref: 007DA2C4

Strings

SeDebugPrivilege, xrefs: 007DA18F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e5441e82c1c4f0311784674ce18b1e9a2bd61149912fe1b32e0f3aaf5bdf904b
Instruction ID: f9ac887cef70c83518e02fc17c34900608b65cd3868ed424eec2788441576130
Opcode Fuzzy Hash: e5441e82c1c4f0311784674ce18b1e9a2bd61149912fe1b32e0f3aaf5bdf904b
Instruction Fuzzy Hash: 3D619E31204242AFD710DF19C498F55BBF1BF44318F58849DE4668B7A2C77AED49CB92

Function 007E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007E3954
_wcslen.LIBCMT ref: 007E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007E39F4

Strings

SysListView32, xrefs: 007E38F7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 31e0634df0674d1dfea59e21c0cbd7739a4e736f76718f67fc7fbb01fe5f824c
Instruction ID: 643e8a85fd159b16bb369d5496471acdd93eac86015f411beaaf698a98bc2507
Opcode Fuzzy Hash: 31e0634df0674d1dfea59e21c0cbd7739a4e736f76718f67fc7fbb01fe5f824c
Instruction Fuzzy Hash: 0441E471A01258ABEF219F65CC49FEA77A9FF0C354F100126F958E7281D7799E80CB90

Function 007BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007BBCFD
IsMenu.USER32(00000000), ref: 007BBD1D
CreatePopupMenu.USER32 ref: 007BBD53
GetMenuItemCount.USER32(016F56E0), ref: 007BBDA4
InsertMenuItemW.USER32(016F56E0,?,00000001,00000030), ref: 007BBDCC

Strings

2, xrefs: 007BBD37
0, xrefs: 007BBCA8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d38c6d110d64998810a90a5b41eef25f6c9df8e4bcaca121a82bd840ec7defe5
Instruction ID: 9e17769c0914f056e032fafcecd99651160750bfaa11dc5769cc2de12d90e755
Opcode Fuzzy Hash: d38c6d110d64998810a90a5b41eef25f6c9df8e4bcaca121a82bd840ec7defe5
Instruction Fuzzy Hash: 15518E70704205DBDF11CFA8D888BEEBBF4AF49314F248559E8119B291D7BCA941CB61

Function 00772D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00772D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00772D53
_ValidateLocalCookies.LIBCMT ref: 00772DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00772E0C
_ValidateLocalCookies.LIBCMT ref: 00772E61

Strings

csm, xrefs: 00772DF6
&Hw, xrefs: 00772DFE, 00772E07, 00772E18

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hw$csm
API String ID: 1170836740-3565755670
Opcode ID: 50868a1e2580a4c81877904ac9ac176dd99e0b620e5c5ede451b9f808a50d4cf
Instruction ID: b1140ddf6080762b41ec400643e9f940bf3d94430fcfa8e05db93c28a019b5e4
Opcode Fuzzy Hash: 50868a1e2580a4c81877904ac9ac176dd99e0b620e5c5ede451b9f808a50d4cf
Instruction Fuzzy Hash: 88419334E00209EBCF10DF68C849A9EBBA5BF45394F14C155E8286B353D779AA12CBE1

Function 007BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007BC913

Strings

info, xrefs: 007BC8B4
blank, xrefs: 007BC895
question, xrefs: 007BC8CC
stop, xrefs: 007BC8E4
warning, xrefs: 007BC8FC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0d7f435795e1b1039d86727289b1561167b4d19baede94da2ca4ece723550d68
Instruction ID: 142085e65cb68fe02cdd6aed2a7fe145ed7144c71303fe438124eb470d679911
Opcode Fuzzy Hash: 0d7f435795e1b1039d86727289b1561167b4d19baede94da2ca4ece723550d68
Instruction Fuzzy Hash: EF110D31689307FEFB025B549C83EEA679CDF55355B11C42AF504F62C2E77C6D405268

Function 007BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007BDE42
gethostname.WSOCK32(?,00000100), ref: 007BDE5C
gethostbyname.WSOCK32(?), ref: 007BDE69
inet_ntoa.WSOCK32(?), ref: 007BDEAB
_strcat.LIBCMT ref: 007BDEB9
WSACleanup.WSOCK32 ref: 007BDEDE

Strings

0.0.0.0, xrefs: 007BDE87

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f4d50a1dd79b7fce6f678c4e83fb25ad36b7de2728248e3f32075b7c0db66520
Instruction ID: 38c988bd0e248b83bbe73d86c47e138142a40c72b2762150f28b2a37fbb634de
Opcode Fuzzy Hash: f4d50a1dd79b7fce6f678c4e83fb25ad36b7de2728248e3f32075b7c0db66520
Instruction Fuzzy Hash: F911E175904204EBDB31AB20DC4AEEE77ACDF15750F0041A9F549AA091FFBDDE828A60

Function 007E9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

GetSystemMetrics.USER32(0000000F), ref: 007E9FC7
GetSystemMetrics.USER32(0000000F), ref: 007E9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007EA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007EA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007EA263
ShowWindow.USER32(00000003,00000000), ref: 007EA282
InvalidateRect.USER32(?,00000000,00000001), ref: 007EA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 007EA2CA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 6cb5b083e1bfade3706532ce97f293f64ff5a706ce2c394bb0a45674d85f6b95
Instruction ID: a746b190d885a27bd80472401bfe42417152b22de280cac1e0afc4cdf91fd10c
Opcode Fuzzy Hash: 6cb5b083e1bfade3706532ce97f293f64ff5a706ce2c394bb0a45674d85f6b95
Instruction Fuzzy Hash: C3B1C831601259EBCF14CF6AC9C57AA7BB2FF88301F18C069ED49AF295D739A940CB51

Function 007BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007BED2A
_wcslen.LIBCMT ref: 007BED3B
_wcslen.LIBCMT ref: 007BED79
_wcslen.LIBCMT ref: 007BEDAF
_wcslen.LIBCMT ref: 007BEDDF
_wcslen.LIBCMT ref: 007BEDEF
_wcslen.LIBCMT ref: 007BEE2B
_wcslen.LIBCMT ref: 007BEE5A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 2adc27d1cc2fbd0d4c5467bd5bf11e7e7fe904dd138ac1567a7bd7c5b57e93dd
Instruction ID: db819cadfad3931a29484faefd47412c03cb49c618d2a8cc95038bdba585dbc7
Opcode Fuzzy Hash: 2adc27d1cc2fbd0d4c5467bd5bf11e7e7fe904dd138ac1567a7bd7c5b57e93dd
Instruction Fuzzy Hash: C441D865D10118B6CF11EBF4888EACF77B8AF45340F00C566E618E3222FB38E255C7A6

Function 0076F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007A682C,00000004,00000000,00000000), ref: 0076F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,007A682C,00000004,00000000,00000000), ref: 007AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007A682C,00000004,00000000,00000000), ref: 007AF454

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 189c2709a128a4b9eda5e9008b3cdb0e5d1645bbde3acc90a59d42088b41773e
Instruction ID: ecad6217761431a0318a21904bc557e524a19ffbed0b3ad1414d674ad95e71b0
Opcode Fuzzy Hash: 189c2709a128a4b9eda5e9008b3cdb0e5d1645bbde3acc90a59d42088b41773e
Instruction Fuzzy Hash: 43410F715047C0FEDB399B69E8CC72A7BA1AB9B314F14853CE857E6560C63DB481C711

Function 007E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007E2D1B
GetDC.USER32(00000000), ref: 007E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007E2DE1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 18925588ec45c98137cea98051ea3888bc1b17a0eaedc966d6c1564a00f73d9e
Instruction ID: 68f78f84ddb6bd3bb8bc793aa276a190b8fbf6630f365e8c699466079319d0f9
Opcode Fuzzy Hash: 18925588ec45c98137cea98051ea3888bc1b17a0eaedc966d6c1564a00f73d9e
Instruction Fuzzy Hash: F931AD76202294BBEB118F148C8AFEB3BADEB0D711F048055FE089E291C6798C42C7A4

Function 007B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007B5637
_memcmp.LIBVCRUNTIME ref: 007B5659
_memcmp.LIBVCRUNTIME ref: 007B5671
_memcmp.LIBVCRUNTIME ref: 007B5684
_memcmp.LIBVCRUNTIME ref: 007B569E
_memcmp.LIBVCRUNTIME ref: 007B56B1
_memcmp.LIBVCRUNTIME ref: 007B56C9
_memcmp.LIBVCRUNTIME ref: 007B56E4

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b4e378034991e8e5c43fa77cc5fccee208e8999fa01f85b2a133bbeba1897f7b
Instruction ID: 15c03e9378a5c1b749267d6ee4d2557ff3c63fc161f1eb64c81d7cd3e3d0e3ff
Opcode Fuzzy Hash: b4e378034991e8e5c43fa77cc5fccee208e8999fa01f85b2a133bbeba1897f7b
Instruction Fuzzy Hash: 0721C9B1741A09B7E61456259D86FFA335CAF247CCFA44020FD089A981FB7CEE1183B5

Function 007D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007D502E, 007D5383
Not an Object type, xrefs: 007D5007

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bf644609f08a0c0ecfeb4a6f925aa1177c6cab735923beb3ff3d77e15788b3cc
Instruction ID: 007a0aa32606da8abbbc7bf9bb0086f44ff8b17462de28b774d01871d5e12f4c
Opcode Fuzzy Hash: bf644609f08a0c0ecfeb4a6f925aa1177c6cab735923beb3ff3d77e15788b3cc
Instruction Fuzzy Hash: 9AD1C171A0060A9FDF10CFA8C885BAEB7B5BF48344F14806AE915AB381E775DD45CBA0

Function 00791522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00791651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007917FB,?,007917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007916FB

Part of subcall function 00783820: RtlAllocateHeap.NTDLL(00000000,?,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6,?,00751129), ref: 00783852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00791777
__freea.LIBCMT ref: 007917A2
__freea.LIBCMT ref: 007917AE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c1bc87e0b617b1cc2dcf0e2d02746780477a0f12a367350bb7fe159f4a04f5d9
Instruction ID: b4cb7a57108684d65b79c74c61b39d9e541897967adc8755f43662399f101b36
Opcode Fuzzy Hash: c1bc87e0b617b1cc2dcf0e2d02746780477a0f12a367350bb7fe159f4a04f5d9
Instruction Fuzzy Hash: BC91E672E002179EDF218EB4EC85AEE7BB59F49710F994659E801E7181DB3DCD60CB60

Function 007D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007D4648
VariantInit.OLEAUT32(?), ref: 007D4749
VariantClear.OLEAUT32(?), ref: 007D4753
VariantClear.OLEAUT32(?), ref: 007D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007D472C
Null Object assignment in FOR..IN loop, xrefs: 007D45D8, 007D4706, 007D47BE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 232c48bd3f8e100a9c546116db1a6a7280ec00d3e6c844effce6c178e41bafa2
Instruction ID: 931840572bba5739286b29c5d6a399e048ee284b2f1644714c827737ead4d858
Opcode Fuzzy Hash: 232c48bd3f8e100a9c546116db1a6a7280ec00d3e6c844effce6c178e41bafa2
Instruction Fuzzy Hash: 14919271A00215EBDF20CFA5DC88FAE7BB8EF46720F14855AF515AB280D7789945CFA0

Function 007C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 007C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007C1430

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 25ee2a0ab424faa8bc315a1dd0b331e169d00fe6ff9ed23af162f082c4cd6bff
Instruction ID: a5875c38b1c2c0387906d7fd7024ef28c1d68e8aa62486c67880a4b3c52422ef
Opcode Fuzzy Hash: 25ee2a0ab424faa8bc315a1dd0b331e169d00fe6ff9ed23af162f082c4cd6bff
Instruction Fuzzy Hash: 6591AC75A00218DFDB059FA4C888FAEB7B5FF46325F54802DE950EB292D77CA941CB90

Function 0076948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7dbee38bda1128042cf66044dcf2624df1ad7e081a8576e184b0776d8ff865dc
Instruction ID: 7a36c5d4ed511b729cfd86f4bf5e756d3cd45c71724e2da14433077e978bf27c
Opcode Fuzzy Hash: 7dbee38bda1128042cf66044dcf2624df1ad7e081a8576e184b0776d8ff865dc
Instruction Fuzzy Hash: BB913A71D00219EFCB15CFA9CC84AEEBBB8FF49320F148155E916B7291D778A952CB60

Function 007D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007D396B
CharUpperBuffW.USER32(?,?), ref: 007D3A7A
_wcslen.LIBCMT ref: 007D3A8A
VariantClear.OLEAUT32(?), ref: 007D3C1F

Part of subcall function 007C0CDF: VariantInit.OLEAUT32(00000000), ref: 007C0D1F
Part of subcall function 007C0CDF: VariantCopy.OLEAUT32(?,?), ref: 007C0D28
Part of subcall function 007C0CDF: VariantClear.OLEAUT32(?), ref: 007C0D34

Strings

Incorrect Parameter format, xrefs: 007D39A6, 007D3BA1
AUTOIT.ERROR, xrefs: 007D3A80, 007D3A85

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 765816ce14fa2903d28ddecaa893c17af7b5e38fc61c3cfbbae7895a39e67dcc
Instruction ID: f39b16864602353c0fcded1f7739cf736c78f717ce0dddbe5c636938b75c9dea
Opcode Fuzzy Hash: 765816ce14fa2903d28ddecaa893c17af7b5e38fc61c3cfbbae7895a39e67dcc
Instruction Fuzzy Hash: 44913374608345DFC704DF24C48596AB7E4BF89314F14892EF88A9B351DB38EE49CB92

Function 007D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 007B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?,?,007B035E), ref: 007B002B
Part of subcall function 007B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?), ref: 007B0046
Part of subcall function 007B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?), ref: 007B0054
Part of subcall function 007B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?), ref: 007B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007D4C51
_wcslen.LIBCMT ref: 007D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007D4DCF
CoTaskMemFree.OLE32(?), ref: 007D4DDA

Strings

NULL Pointer assignment, xrefs: 007D4E23, 007D4E52

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: e88abd50076eb3236a1b16ba2be1bef41c9d26734f0238e79d800876bff8e1de
Instruction ID: 143d68de9e82afcba9809545a4f002d787672a313898d417bb48f1b7d1fd8620
Opcode Fuzzy Hash: e88abd50076eb3236a1b16ba2be1bef41c9d26734f0238e79d800876bff8e1de
Instruction Fuzzy Hash: DA913B71D0021DEFDF11DFA4C894AEEB7B9BF08310F10856AE915AB241DB789A45CF60

Function 007E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007E2183
GetMenuItemCount.USER32(00000000), ref: 007E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007E21DD
_wcslen.LIBCMT ref: 007E2213
GetMenuItemID.USER32(?,?), ref: 007E224D
GetSubMenu.USER32(?,?), ref: 007E225B

Part of subcall function 007B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007B3A57
Part of subcall function 007B3A3D: GetCurrentThreadId.KERNEL32 ref: 007B3A5E
Part of subcall function 007B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007B25B3), ref: 007B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007E22E3

Part of subcall function 007BE97B: Sleep.KERNEL32 ref: 007BE9F3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0e9bab8e1c0f3ccf524f15fc4ae5e8dae16ef9598b74b965995d1888fd4732bc
Instruction ID: a5eb27b49e0a26437d85a7cdda4e0538fc660d282bb7056eb3bf301bc9348687
Opcode Fuzzy Hash: 0e9bab8e1c0f3ccf524f15fc4ae5e8dae16ef9598b74b965995d1888fd4732bc
Instruction Fuzzy Hash: 9A71AF35A00245EFCB11DF65C885AAEB7F9FF4C310F158458E916AB342DB38AE428B90

Function 007E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016F5758), ref: 007E7F37
IsWindowEnabled.USER32(016F5758), ref: 007E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007E801E
SendMessageW.USER32(016F5758,000000B0,?,?), ref: 007E8051
IsDlgButtonChecked.USER32(?,?), ref: 007E8089
GetWindowLongW.USER32(016F5758,000000EC), ref: 007E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007E80C3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9940d322c51fb99c6f836212560e2c6cfbda125d86753533b8fb3bf69c2a6695
Instruction ID: 9df7a880e2185b6aeac5e23fcac718b9f25c13a5aeeccecb0888faa0ed49f1c6
Opcode Fuzzy Hash: 9940d322c51fb99c6f836212560e2c6cfbda125d86753533b8fb3bf69c2a6695
Instruction Fuzzy Hash: 6871B03460A284AFEF29DF56C8C4FAABBB9FF0D300F144459E94597261CB39AC56CB11

Function 007BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007BAEF9
GetKeyboardState.USER32(?), ref: 007BAF0E
SetKeyboardState.USER32(?), ref: 007BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 007BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 007BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 007BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007BB020

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fa9c1b8318520c8a99f0bf6470c51468012ccd196b47224420881cae038ebbce
Instruction ID: 52e4a992f07763d98928d506217fd81b68d5114f2ea139ff3af346a80b61dbbe
Opcode Fuzzy Hash: fa9c1b8318520c8a99f0bf6470c51468012ccd196b47224420881cae038ebbce
Instruction Fuzzy Hash: 7A51A1A0A047D53DFB3662348C49BFBBEA95B06304F088589E5E9958C2D3DDECC8D751

Function 007BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007BAD19
GetKeyboardState.USER32(?), ref: 007BAD2E
SetKeyboardState.USER32(?), ref: 007BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007BAE38

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2e20956c12ebd36d687ea7b6259006218a8d2a5f066e8fbca0b3e801bb0db8a5
Instruction ID: 2aa0861aad63babbd73c58b2a6ec43ccfdce88c627216839979bfc856bde6fbc
Opcode Fuzzy Hash: 2e20956c12ebd36d687ea7b6259006218a8d2a5f066e8fbca0b3e801bb0db8a5
Instruction Fuzzy Hash: 6151D7A16047D53DFB379334CC96BFA7EA96B46300F088589E1D55A8C2D39CEC88D762

Function 0078542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00793CD6,?,?,?,?,?,?,?,?,00785BA3,?,?,00793CD6,?,?), ref: 00785470
__fassign.LIBCMT ref: 007854EB
__fassign.LIBCMT ref: 00785506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00793CD6,00000005,00000000,00000000), ref: 0078552C
WriteFile.KERNEL32(?,00793CD6,00000000,00785BA3,00000000,?,?,?,?,?,?,?,?,?,00785BA3,?), ref: 0078554B
WriteFile.KERNEL32(?,?,00000001,00785BA3,00000000,?,?,?,?,?,?,?,?,?,00785BA3,?), ref: 00785584

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 85f3c8d413e09d0a05596c3b48270c2054a2d7c2b35b126edf11ecba5869a01f
Instruction ID: fea97bd720c72ed610cc7465f8702c0a1a75210929ffddbb925cb2364a538a03
Opcode Fuzzy Hash: 85f3c8d413e09d0a05596c3b48270c2054a2d7c2b35b126edf11ecba5869a01f
Instruction Fuzzy Hash: 9151E670A406489FDB11DFA8D885AEEBBFAFF08310F14411AF955E7292E734DA51CB60

Function 007D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007D304E: inet_addr.WSOCK32(?), ref: 007D307A
Part of subcall function 007D304E: _wcslen.LIBCMT ref: 007D309B

socket.WSOCK32(00000002,00000001,00000006), ref: 007D1112
WSAGetLastError.WSOCK32 ref: 007D1121
WSAGetLastError.WSOCK32 ref: 007D11C9
closesocket.WSOCK32(00000000), ref: 007D11F9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: c30695322959f55f2baf6df397e50f7b23e54331a87cdfc4ba12ce28b9b25588
Instruction ID: fec40fdfae3b1d3cf59e413c1a5b3e1e999e053af7c1804c6d26ee33132ee49c
Opcode Fuzzy Hash: c30695322959f55f2baf6df397e50f7b23e54331a87cdfc4ba12ce28b9b25588
Instruction Fuzzy Hash: DF411235200208AFDB119F64C888BAABBFAEF45324F14805AFD159F391C779AD45CBE1

Function 007BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007BCF22,?), ref: 007BDDFD

Part of subcall function 007BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007BCF22,?), ref: 007BDE16

lstrcmpiW.KERNEL32(?,?), ref: 007BCF45
MoveFileW.KERNEL32(?,?), ref: 007BCF7F
_wcslen.LIBCMT ref: 007BD005
_wcslen.LIBCMT ref: 007BD01B
SHFileOperationW.SHELL32(?), ref: 007BD061

Strings

\*.*, xrefs: 007BCFF3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e79419c86389851787d23b85cddff0f1d2cc8094659f5ad8dc371be36af44977
Instruction ID: 87621f4dc3140e257db828dc0399dca1d6dfc21eaaa74783db172f1b0b364f56
Opcode Fuzzy Hash: e79419c86389851787d23b85cddff0f1d2cc8094659f5ad8dc371be36af44977
Instruction Fuzzy Hash: 5741587690521D9FDF13EFA4C985BEDB7B9AF08380F1440E6E509EB141EB38AA45CB50

Function 007E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007E2F0B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 34368a14348066bc456e0939497701c7387bcc7580f0750921df86b3aa83061c
Instruction ID: 7755d33f3e27f563fb56f91f9c19662627608c05ad45543044686eef37973450
Opcode Fuzzy Hash: 34368a14348066bc456e0939497701c7387bcc7580f0750921df86b3aa83061c
Instruction Fuzzy Hash: 4E3114346062A0AFDB218F19DC88F6537E8FB5E710F2441A5F9008F2B2CB75AC829B45

Function 007B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B778F
SysAllocString.OLEAUT32(00000000), ref: 007B7792
SysAllocString.OLEAUT32(?), ref: 007B77B0
SysFreeString.OLEAUT32(?), ref: 007B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007B77DE
SysAllocString.OLEAUT32(?), ref: 007B77EC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a1d0c4a3e6a6e6d435811281f5386c385548c53758bea913a9b90535bc11e746
Instruction ID: 6719a4f48a9d3353d073d095ae131dbab9e7e0b01ad1c0190a503949aa6fc344
Opcode Fuzzy Hash: a1d0c4a3e6a6e6d435811281f5386c385548c53758bea913a9b90535bc11e746
Instruction Fuzzy Hash: 4421E07A604249AFDB00DFA8CC88DFB37ACEB49364B008025FA15CF190DA78DC42C764

Function 007B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B7868
SysAllocString.OLEAUT32(00000000), ref: 007B786B
SysAllocString.OLEAUT32 ref: 007B788C
SysFreeString.OLEAUT32 ref: 007B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 007B78AF
SysAllocString.OLEAUT32(?), ref: 007B78BD

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7a072c4b2224b8ae80db285037479117057bcf1d8f19c016e9e8b6b11ebe4738
Instruction ID: 4cf6c4ce4aab18c3ba8d2a4ca321f698169712bdd7a74ec649e4924fb3e4cf53
Opcode Fuzzy Hash: 7a072c4b2224b8ae80db285037479117057bcf1d8f19c016e9e8b6b11ebe4738
Instruction Fuzzy Hash: 7821B375609204AFDB159FB8DC8CEAA77ECEB4D3607108125F915CF2A1D678DC41CB68

Function 007C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007C052E

Strings

nul, xrefs: 007C0567

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dcb25443e9ba57ac174e550ac83f6546764f76313af5e03775b4f03c7b185bc0
Instruction ID: 4aeaec6bacc094dee3e29535c6597aefabe1bde10ca7e90104fe2b503401c8ab
Opcode Fuzzy Hash: dcb25443e9ba57ac174e550ac83f6546764f76313af5e03775b4f03c7b185bc0
Instruction Fuzzy Hash: 61215E75500305EBDF209F29E848F9A77A8BF49724F204A1DF8A1D62E0D7749961CFE0

Function 007C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007C0601

Strings

nul, xrefs: 007C0639

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 03cc48b2cf9e25d4333b515e337b9bdfb7c580e746bc52ce042c91efb73aa428
Instruction ID: 7ba06db62d39fd25b5e2db0a83e84b8a30a593d2e79c4c2457e7f4ff106b84d8
Opcode Fuzzy Hash: 03cc48b2cf9e25d4333b515e337b9bdfb7c580e746bc52ce042c91efb73aa428
Instruction Fuzzy Hash: 82219F79500315DBDB208F689C48F9A77A8BF85B20F204A1DE8A1E72E0D7789861CBD0

Function 007E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0075604C
Part of subcall function 0075600E: GetStockObject.GDI32(00000011), ref: 00756060
Part of subcall function 0075600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0075606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007E4145

Strings

Msctls_Progress32, xrefs: 007E40E3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b8d58308c95a5f72bbf91a3e4a99668135bb323b4778f9b175a619cae7ce5d1b
Instruction ID: d019404983dd5a4022a6d3d13d265a6048edde6411a8a04503646390a4710ed6
Opcode Fuzzy Hash: b8d58308c95a5f72bbf91a3e4a99668135bb323b4778f9b175a619cae7ce5d1b
Instruction Fuzzy Hash: 111190B214021DBEEF119E65CC85EE77FADEF08798F014120BA18A6190C67A9C61DBA4

Function 0078D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078D7A3: _free.LIBCMT ref: 0078D7CC

_free.LIBCMT ref: 0078D82D

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 0078D838
_free.LIBCMT ref: 0078D843
_free.LIBCMT ref: 0078D897
_free.LIBCMT ref: 0078D8A2
_free.LIBCMT ref: 0078D8AD
_free.LIBCMT ref: 0078D8B8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 44ad95561b39b3347f37fe05a3eda9577b614cc9b911b1ffbe552f6b0ab55132
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DA11F9715C0B04EAD631BFB1CC4AFCB7B9CAF04711F404825F299A64E2DA6DB9068B60

Function 007BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007BDA74
LoadStringW.USER32(00000000), ref: 007BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007BDA91
LoadStringW.USER32(00000000), ref: 007BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007BDAB9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e0f4fdde29006b693b02da5f953f03a23fd8c4c6451f2345e0c302b894fa0095
Instruction ID: d44f7ccfd10dcac4b87f74fbc650f9dc1a2bc290fceaba1736e5692c9b027dc3
Opcode Fuzzy Hash: e0f4fdde29006b693b02da5f953f03a23fd8c4c6451f2345e0c302b894fa0095
Instruction Fuzzy Hash: 240186F6500348BFEB119BA09DC9EE7736CEB0C305F408491B756E6041E6789E858F78

Function 007C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016ED390,016ED390), ref: 007C097B
EnterCriticalSection.KERNEL32(016ED370,00000000), ref: 007C098D
TerminateThread.KERNEL32(?,000001F6), ref: 007C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007C09A9
CloseHandle.KERNEL32(?), ref: 007C09B8
InterlockedExchange.KERNEL32(016ED390,000001F6), ref: 007C09C8
LeaveCriticalSection.KERNEL32(016ED370), ref: 007C09CF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a2dbd732fe0e5739d33d3dc5d1362411c788d784e8d6d3047e3b259ce3fb3e99
Instruction ID: 790c8afb5c98b5755e776f0bdd721a9df5ee30c4f9bf7268ef4bd03dec778410
Opcode Fuzzy Hash: a2dbd732fe0e5739d33d3dc5d1362411c788d784e8d6d3047e3b259ce3fb3e99
Instruction Fuzzy Hash: D7F01D31443642EBD7425B94EECDBD67B29BF09702F405019F201588A0C778A466CFD4

Function 007D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 007D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007D1DE1
WSAGetLastError.WSOCK32 ref: 007D1DF2
htons.WSOCK32(?), ref: 007D1EDB
inet_ntoa.WSOCK32(?), ref: 007D1E8C

Part of subcall function 007B39E8: _strlen.LIBCMT ref: 007B39F2

Part of subcall function 007D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,007CEC0C), ref: 007D3240

_strlen.LIBCMT ref: 007D1F35

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c7ea9d2856845fcd0cc32235c2bc9eda4775e1db330279bf5ed2e2343a38c653
Instruction ID: ecf333cc37b392becf93b83c3fdc72d10f170ffc0cc729f02c45ed545edca62a
Opcode Fuzzy Hash: c7ea9d2856845fcd0cc32235c2bc9eda4775e1db330279bf5ed2e2343a38c653
Instruction Fuzzy Hash: 2DB1D130204340EFD324DF24C889E6A7BB5AF84318F94894DF8565B3A2DB79ED46CB91

Function 00755D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00755D30
GetWindowRect.USER32(?,?), ref: 00755D71
ScreenToClient.USER32(?,?), ref: 00755D99
GetClientRect.USER32(?,?), ref: 00755ED7
GetWindowRect.USER32(?,?), ref: 00755EF8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f565c56cec1694d0de71516da3a800f66867fabd63b529395301659cc6123e47
Instruction ID: cc7b1dd85b3bccd1fc007039ad4c3cb54a10ad0da5824838c86c17c8cfdd0c46
Opcode Fuzzy Hash: f565c56cec1694d0de71516da3a800f66867fabd63b529395301659cc6123e47
Instruction Fuzzy Hash: 07B17A35A0078ADBDF10CFA8C481BEAB7F1FF48311F14851AE8A9D7250D738AA56DB54

Function 007801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007800D6
__allrem.LIBCMT ref: 007800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0078010B
__allrem.LIBCMT ref: 00780122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00780140

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 927781e07606ee567f342c377daa98395870f65b5ff23958964bee9c2bf84f8d
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0B811572A40706EBEB20AE69CC49B6E73E9AF41370F24813AF515D6681EB78D9048790

Function 007861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007782D9,007782D9,?,?,?,0078644F,00000001,00000001,8BE85006), ref: 00786258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0078644F,00000001,00000001,8BE85006,?,?,?), ref: 007862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007863D8
__freea.LIBCMT ref: 007863E5

Part of subcall function 00783820: RtlAllocateHeap.NTDLL(00000000,?,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6,?,00751129), ref: 00783852

__freea.LIBCMT ref: 007863EE
__freea.LIBCMT ref: 00786413

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3ecab57b2781f64061874f4f83d95442e2e87e0e6caa66d21073dda1ed8cc7e9
Instruction ID: 5cf32c1f8ca6281c715a6c4d2b8cf84736bca0116c2a4f790479edf41343cb5d
Opcode Fuzzy Hash: 3ecab57b2781f64061874f4f83d95442e2e87e0e6caa66d21073dda1ed8cc7e9
Instruction Fuzzy Hash: 6451E172640216BBEB25AF64DC85EBF77AAEB44710F144229FC05DA540EB38DC40C7A0

Function 007DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007DB6AE,?,?), ref: 007DC9B5
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DC9F1
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA68
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007DBD25
RegCloseKey.ADVAPI32(00000000), ref: 007DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007DBDF3
RegCloseKey.ADVAPI32(?), ref: 007DBDFF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5fb8c801b48b92c20e9e89f36f786cf96867d73b655b3021297ebe3d512aab3b
Instruction ID: 826c9d4d4837975931cf0776a1c3179079c21460b8a44eabdbdd15e3b2890038
Opcode Fuzzy Hash: 5fb8c801b48b92c20e9e89f36f786cf96867d73b655b3021297ebe3d512aab3b
Instruction Fuzzy Hash: AB817A30208241EFD714DF24C895E6ABBF5BF84308F15895DF5598B2A2DB39ED09CB92

Function 007AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 007AF7B9
SysAllocString.OLEAUT32(00000001), ref: 007AF860
VariantCopy.OLEAUT32(007AFA64,00000000), ref: 007AF889
VariantClear.OLEAUT32(007AFA64), ref: 007AF8AD
VariantCopy.OLEAUT32(007AFA64,00000000), ref: 007AF8B1
VariantClear.OLEAUT32(?), ref: 007AF8BB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 020c98b29394ebc194d66da725bdee4434d6772a02d2a6684150f54625c77174
Instruction ID: 904d57c71c47136d8eb38c7ea62dcc9bd83cc241d7c92e9526da4389a0c40427
Opcode Fuzzy Hash: 020c98b29394ebc194d66da725bdee4434d6772a02d2a6684150f54625c77174
Instruction Fuzzy Hash: B851D635601310EACF20ABA5D899B6AB3A4EF87310F248567F906DF291DB7C9C41C796

Function 007C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00757620: _wcslen.LIBCMT ref: 00757625

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007C94E5
_wcslen.LIBCMT ref: 007C9506
_wcslen.LIBCMT ref: 007C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 007C9585

Strings

X, xrefs: 007C9412

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ee2e76526976a6b804039303926067952343c7ab9086967351b204e92580f8a3
Instruction ID: 3d6c31a1905b740157994e6b651ecaa9655fbfb4643a5e27916386252160bb38
Opcode Fuzzy Hash: ee2e76526976a6b804039303926067952343c7ab9086967351b204e92580f8a3
Instruction Fuzzy Hash: 85E1A131504340DFD754DF24C889FAAB7E4BF84314F04896DE9899B2A2EB79ED05CB92

Function 0076920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

BeginPaint.USER32(?,?,?), ref: 00769241
GetWindowRect.USER32(?,?), ref: 007692A5
ScreenToClient.USER32(?,?), ref: 007692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007692D3
EndPaint.USER32(?,?,?,?,?), ref: 00769321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007A71EA

Part of subcall function 00769339: BeginPath.GDI32(00000000), ref: 00769357

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b6e1bb23cccc1b669e81004c93c00bdacf53e25439fb904da071bcf055a63a82
Instruction ID: 92cf446a87c2eda5ad8b953f855c01e0bf0d201f7034c9a77623ffd12873c840
Opcode Fuzzy Hash: b6e1bb23cccc1b669e81004c93c00bdacf53e25439fb904da071bcf055a63a82
Instruction Fuzzy Hash: 9F41A170105340EFDB21DF25CC98FBA7BE8FB9A320F144229FA55872A1C7389846DB61

Function 007C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 007C0847
EnterCriticalSection.KERNEL32(?), ref: 007C0863
LeaveCriticalSection.KERNEL32(?), ref: 007C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007C0921

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: cf2d6fb6885bc87847388f5b61a54ca15e1e7369922673a07db48ba9f8b0b996
Instruction ID: 319fbab0210a5c71ab71027d4cf3977fc84220959a1ff91660eb7927e5a41ffc
Opcode Fuzzy Hash: cf2d6fb6885bc87847388f5b61a54ca15e1e7369922673a07db48ba9f8b0b996
Instruction Fuzzy Hash: 89417971900205EBDF05AF54DC85AAA7BB8FF08300F1080A9ED009E297D739EE61DBE4

Function 007E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,007AF3AB,00000000,?,?,00000000,?,007A682C,00000004,00000000,00000000), ref: 007E824C
EnableWindow.USER32(?,00000000), ref: 007E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007E82D1
ShowWindow.USER32(?,00000004), ref: 007E82E5
EnableWindow.USER32(?,00000001), ref: 007E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007E832F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 114b2a9c2dbc8339901f57e9fd1e2b5b93a371c58874a25ed1938d138568af24
Instruction ID: d3db381dd3a0289a2ff25feb7ad405b3a8fb6ac0183a3cd1fd1cf6f3425765c8
Opcode Fuzzy Hash: 114b2a9c2dbc8339901f57e9fd1e2b5b93a371c58874a25ed1938d138568af24
Instruction Fuzzy Hash: 12418734602684EFDF65CF16C899BE47BE5FB0E714F184165E60C5F262C7365842CB51

Function 007B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007B4CEA
_wcslen.LIBCMT ref: 007B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007B4D10
_wcsstr.LIBVCRUNTIME ref: 007B4D1A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 96df0b278943781ac7df00342d52ae03dbc0e8572d1306619fcdaf16e764bef5
Instruction ID: 7c4891f2225212cf6cc7b544c830d71316c0e3b5eed98479b76c94319a632856
Opcode Fuzzy Hash: 96df0b278943781ac7df00342d52ae03dbc0e8572d1306619fcdaf16e764bef5
Instruction Fuzzy Hash: 2F21F936605240BBEB165B39EC49FBB7FACDF49750F108069FD05CE193DA69DC0196A0

Function 007C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00753AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00753A97,?,?,00752E7F,?,?,?,00000000), ref: 00753AC2

_wcslen.LIBCMT ref: 007C587B
CoInitialize.OLE32(00000000), ref: 007C5995
CoCreateInstance.OLE32(007EFCF8,00000000,00000001,007EFB68,?), ref: 007C59AE
CoUninitialize.OLE32 ref: 007C59CC

Strings

.lnk, xrefs: 007C5876, 007C58C1, 007C5985

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: db154b0b2545f55634c7b2b1cff7245424f606a8b7ba28f33822dc628c8b9b9d
Instruction ID: d31338797d8ef2cac6ea21d42ad0b34537247364d454db27e443a999cce28e6d
Opcode Fuzzy Hash: db154b0b2545f55634c7b2b1cff7245424f606a8b7ba28f33822dc628c8b9b9d
Instruction Fuzzy Hash: 89D153B5604601DFC714DF24C484E6ABBE1EF89310F14895DF88A9B261DB3AFC85CB92

Function 007B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007B0FCA
Part of subcall function 007B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007B0FD6
Part of subcall function 007B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007B0FE5
Part of subcall function 007B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007B0FEC
Part of subcall function 007B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007B1002

GetLengthSid.ADVAPI32(?,00000000,007B1335), ref: 007B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B17BA
HeapAlloc.KERNEL32(00000000), ref: 007B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007B17DA
GetProcessHeap.KERNEL32(00000000,00000000,007B1335), ref: 007B17EE
HeapFree.KERNEL32(00000000), ref: 007B17F5

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2da87aa8f83542f191c9928e2842e835cf3d1448fc754eddd31df3e6322654d9
Instruction ID: 55ad57243e5dd38675d9701a6cd601ab51aefa3b7848435f356b60765054aa35
Opcode Fuzzy Hash: 2da87aa8f83542f191c9928e2842e835cf3d1448fc754eddd31df3e6322654d9
Instruction Fuzzy Hash: 9A11BE76601205FFDB11DFA4CC99BEF7BA9EB46355F908018F8419B210DB39AD41CB60

Function 007B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 007B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007B1515
CloseHandle.KERNEL32(00000004), ref: 007B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 007B1563

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: adcd0eb7bcb9d90749090627532f4944610215ea400dada5d7cbb68e90a6075a
Instruction ID: 381ab2425d70321bf5e4f546f99f03fdb1a3f970b21d531a96bf82ebbcb83a3e
Opcode Fuzzy Hash: adcd0eb7bcb9d90749090627532f4944610215ea400dada5d7cbb68e90a6075a
Instruction Fuzzy Hash: A6115676501289EBDF12CFA8DD89BDE7BA9EF48704F448025FA05A6060C3798E61DB60

Function 00773382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00773379,00772FE5), ref: 00773390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0077339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007733B7
SetLastError.KERNEL32(00000000,?,00773379,00772FE5), ref: 00773409

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cb6a3a7542e4c7b5c3988ba274fb851f05ddb3bff3b6f0703537906a0a31a48
Instruction ID: ffdae6d7236336856b131100a0fb3a2c66acee0087850948195542922004615c
Opcode Fuzzy Hash: 1cb6a3a7542e4c7b5c3988ba274fb851f05ddb3bff3b6f0703537906a0a31a48
Instruction Fuzzy Hash: B0012432249711FEEE2527747C899A72A99EB0A3F9330C229F41C841F0EF194D027644

Function 00782D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00785686,00793CD6,?,00000000,?,00785B6A,?,?,?,?,?,0077E6D1,?,00818A48), ref: 00782D78
_free.LIBCMT ref: 00782DAB
_free.LIBCMT ref: 00782DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0077E6D1,?,00818A48,00000010,00754F4A,?,?,00000000,00793CD6), ref: 00782DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0077E6D1,?,00818A48,00000010,00754F4A,?,?,00000000,00793CD6), ref: 00782DEC
_abort.LIBCMT ref: 00782DF2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fb7d8798d8ddc565d735d0c03c38b6d164e631360161a66d6b67133f12040915
Instruction ID: a9fe2044b8faa2343dbb26ab89f3b66db0ed07d2b364bff28fe8a16aa7b72744
Opcode Fuzzy Hash: fb7d8798d8ddc565d735d0c03c38b6d164e631360161a66d6b67133f12040915
Instruction Fuzzy Hash: 88F0A43A7C5600B7C6123739BC0EA5B2959BFC27B3F254518F824962E3EE2C98034371

Function 007E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00769639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00769693
Part of subcall function 00769639: SelectObject.GDI32(?,00000000), ref: 007696A2
Part of subcall function 00769639: BeginPath.GDI32(?), ref: 007696B9
Part of subcall function 00769639: SelectObject.GDI32(?,00000000), ref: 007696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007E8A70
LineTo.GDI32(?,00000000,00000003), ref: 007E8A80
EndPath.GDI32(?), ref: 007E8A90
StrokePath.GDI32(?), ref: 007E8AA0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 88e10127b45800afdb0f0cf3e774182f96833cd8141f5e5816232d06d324f94d
Instruction ID: f8a88d0a3205d88f02eaa94ffad625fc800caf448b9d4f1c37c66f541f67ccd4
Opcode Fuzzy Hash: 88e10127b45800afdb0f0cf3e774182f96833cd8141f5e5816232d06d324f94d
Instruction Fuzzy Hash: F311097600118CFFDF129F94DC88EAA7F6CEB08354F00C022FA199A1A1C775AD56DBA0

Function 007B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 007B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B5230
ReleaseDC.USER32(00000000,00000000), ref: 007B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 007B5261

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7f56ec33d0f67a215cf01aa3857497d3cb3966c78530f39104903bc2778de61b
Instruction ID: 120aa426737bd47ccf5fd883df3cd28f3202ae1d827d9ce77ed2f6088b8a28ca
Opcode Fuzzy Hash: 7f56ec33d0f67a215cf01aa3857497d3cb3966c78530f39104903bc2778de61b
Instruction Fuzzy Hash: FD0184B9A01708BBEB119BE59C49B8EBF78FB48751F048065FA04EB280D6749801CB64

Function 00751BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00751BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00751BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00751C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00751C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00751C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00751C22

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3ab425bbc2ef037605c86876a82416be3b72e4cbea4ed2a508d0481a3ae9c914
Instruction ID: 8e51054fc750c881aed07b103f32dc06083f551bb0f6616f11d3e45dcdaac515
Opcode Fuzzy Hash: 3ab425bbc2ef037605c86876a82416be3b72e4cbea4ed2a508d0481a3ae9c914
Instruction Fuzzy Hash: D20144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00415BA15C4BA42C7B5A864CBE5

Function 007BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 007BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007BEB75

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7963846dbb2a3fc1cc8924af8f8a66cbc0ad6a43e880f23216d8c1cd31daa5de
Instruction ID: aa4aaa3389ded9098d6f3ece7dcd4d69033cf0c703618551e50fbf1f0dba2b51
Opcode Fuzzy Hash: 7963846dbb2a3fc1cc8924af8f8a66cbc0ad6a43e880f23216d8c1cd31daa5de
Instruction Fuzzy Hash: AAF054B6142198BFE72257529C4EEEF3E7CEFCEB11F008158FA01D5191D7A85A02C6B9

Function 007A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 007A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 007A7469
GetWindowDC.USER32(?), ref: 007A7475
GetPixel.GDI32(00000000,?,?), ref: 007A7484
ReleaseDC.USER32(?,00000000), ref: 007A7496
GetSysColor.USER32(00000005), ref: 007A74B0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d5599ec96060be9d8a01b3a0d163a3651b627932d4fa384b3213e60829f486ab
Instruction ID: 73916d78dc9c44e597769574e06726df038d4f291ec629d57c95355b08e9105a
Opcode Fuzzy Hash: d5599ec96060be9d8a01b3a0d163a3651b627932d4fa384b3213e60829f486ab
Instruction Fuzzy Hash: 2B01AD35401295EFDB125FA4DC48BAA7BB5FF48311F208164FD26AB1A0CB391E52EF10

Function 007B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007B187F
UnloadUserProfile.USERENV(?,?), ref: 007B188B
CloseHandle.KERNEL32(?), ref: 007B1894
CloseHandle.KERNEL32(?), ref: 007B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007B18A5
HeapFree.KERNEL32(00000000), ref: 007B18AC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0352eb14d6b7f2b232940b410e5836910745ac6ed867293ac9e4626c82461473
Instruction ID: b2357ef5e87948c744ef0e162a2b394d8a6fa19265127429c9bb0ffcf6312c7c
Opcode Fuzzy Hash: 0352eb14d6b7f2b232940b410e5836910745ac6ed867293ac9e4626c82461473
Instruction Fuzzy Hash: 3AE0E57A005245BBDB025FA1ED4C90ABF39FF4EB22B10C220F62589070CB369822DF58

Function 007D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00770242: EnterCriticalSection.KERNEL32(0082070C,00821884,?,?,0076198B,00822518,?,?,?,007512F9,00000000), ref: 0077024D
Part of subcall function 00770242: LeaveCriticalSection.KERNEL32(0082070C,?,0076198B,00822518,?,?,?,007512F9,00000000), ref: 0077028A

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007700A3: __onexit.LIBCMT ref: 007700A9

__Init_thread_footer.LIBCMT ref: 007D7BFB

Part of subcall function 007701F8: EnterCriticalSection.KERNEL32(0082070C,?,?,00768747,00822514), ref: 00770202
Part of subcall function 007701F8: LeaveCriticalSection.KERNEL32(0082070C,?,00768747,00822514), ref: 00770235

Strings

G, xrefs: 007D7C7F
+Tz, xrefs: 007D7E2E
5, xrefs: 007D7C78
Variable must be of type 'Object'., xrefs: 007D7C3A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tz$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2478060112
Opcode ID: 5c665c25f29d1f88adb77517beff50676c0ab406f244836133b8e8419c7820e9
Instruction ID: 16db638d75f23e9f4ab3dc1c8b15dbc62f88ffae51eb52dfbf5a782ffb0e8560
Opcode Fuzzy Hash: 5c665c25f29d1f88adb77517beff50676c0ab406f244836133b8e8419c7820e9
Instruction Fuzzy Hash: 9E919074604209EFCB09EF54D895DADB7B6FF44300F10805AF806AB351EB79AE45CB61

Function 007BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00757620: _wcslen.LIBCMT ref: 00757625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007BC6EE
_wcslen.LIBCMT ref: 007BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007BC7CA

Strings

0, xrefs: 007BC6AF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 757f62829853c92e43fbdca42ba43455d74b9f613f51e6ca28d4a08334652ee9
Instruction ID: 3a961babec0cade64e6022c91f7aac17bf8a1a18303670b6046a1d6a4b89f8c8
Opcode Fuzzy Hash: 757f62829853c92e43fbdca42ba43455d74b9f613f51e6ca28d4a08334652ee9
Instruction Fuzzy Hash: 3E51DE716043009BD7169F28C889BEB7BE8EF89314F148A29F9A5D31A0DB68D944CB52

Function 007DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007DAEA3

Part of subcall function 00757620: _wcslen.LIBCMT ref: 00757625

GetProcessId.KERNEL32(00000000), ref: 007DAF38
CloseHandle.KERNEL32(00000000), ref: 007DAF67

Strings

<, xrefs: 007DAE6B
@, xrefs: 007DAE72

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 04ee95b001abc2230ad3d6b04dc703be3e3742fea5318207418238280c6a2a6b
Instruction ID: 4ddcd47ed1d1c11d17794eacd42fa2714d610fb2429d48cf2c4fd981357797ba
Opcode Fuzzy Hash: 04ee95b001abc2230ad3d6b04dc703be3e3742fea5318207418238280c6a2a6b
Instruction Fuzzy Hash: 35718971A00619EFCB14DF54D489A9EBBF0FF08310F04849AE856AB392DB78ED45CB91

Function 007B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007B72CF

Strings

DllGetClassObject, xrefs: 007B7242

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 62a33663955a06fd154418fe82a9e174d1d4256597b649ec9ff9e1be9d9a6812
Instruction ID: 20b84d9e48836eda8529c5662e121178d90d401a2b66f3ba4020fc5205d4be54
Opcode Fuzzy Hash: 62a33663955a06fd154418fe82a9e174d1d4256597b649ec9ff9e1be9d9a6812
Instruction Fuzzy Hash: 55412EB1A05204DFDB19CF64C884BDA7BB9FF88310B1580A9FD059F20AD7B9D945DBA0

Function 007E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007E3E35
IsMenu.USER32(?), ref: 007E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007E3E92
DrawMenuBar.USER32 ref: 007E3EA5

Strings

0, xrefs: 007E3D89

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d22629f9b8c70b85bc22513089bdd93db28113530f3fe236d097bebcec2fb071
Instruction ID: b7ddafa823195b55e93bfd0aada1840bc8344be96aaf30051604c847368a2136
Opcode Fuzzy Hash: d22629f9b8c70b85bc22513089bdd93db28113530f3fe236d097bebcec2fb071
Instruction Fuzzy Hash: F9418A74A02249EFDB14DF51D888EAABBB5FF48350F148129E815AB250C338AE51CF50

Function 007B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 007B1EA9

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

Strings

ComboBox, xrefs: 007B1DF0
ListBox, xrefs: 007B1E25

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a30acdd6f4d15a0be6e971aa0897b0c2abb4012b540a2b3aa845cd832703bfcc
Instruction ID: f09cd2bc7941337b78220c289b57f5233efcda6683d854ef981c0085ee2e82d4
Opcode Fuzzy Hash: a30acdd6f4d15a0be6e971aa0897b0c2abb4012b540a2b3aa845cd832703bfcc
Instruction Fuzzy Hash: 30217771A00104FEDB04ABA4DC9ADFFBBB8EF45360B944019FC21A71E1DB7C8D0A8620

Function 007E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007E2F8D
LoadLibraryW.KERNEL32(?), ref: 007E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007E2FA9
DestroyWindow.USER32(?), ref: 007E2FB1

Strings

SysAnimate32, xrefs: 007E2F68

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c99762ff6a13e974edf2a5310cbcbb8af561f1a4234426a13ad0ac58106da1e4
Instruction ID: 930d380c038915274c3f34c8e689074b51a0676e6cb16906b4c9a6842bbefb1d
Opcode Fuzzy Hash: c99762ff6a13e974edf2a5310cbcbb8af561f1a4234426a13ad0ac58106da1e4
Instruction Fuzzy Hash: FD21DC72201289ABEB214F66DC84EBB37BDFB5C324F104628FA10D61A1D779DC929760

Function 00774D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00774D1E,007828E9,?,00774CBE,007828E9,008188B8,0000000C,00774E15,007828E9,00000002), ref: 00774D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00774DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00774D1E,007828E9,?,00774CBE,007828E9,008188B8,0000000C,00774E15,007828E9,00000002,00000000), ref: 00774DC3

Strings

CorExitProcess, xrefs: 00774D98
mscoree.dll, xrefs: 00774D86

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3c34fb8b36b62e7830cc017ac3805fa23e12cde6cc34eeb64bfd37a18bec2bc3
Instruction ID: 129330fad94c908a272effe9a8724b612bf38f6898285fcdeeec09d7081833e4
Opcode Fuzzy Hash: 3c34fb8b36b62e7830cc017ac3805fa23e12cde6cc34eeb64bfd37a18bec2bc3
Instruction Fuzzy Hash: 5FF0447464130CFBDF125F94DC49BADBBB5EF48751F0480A4F909A6250DB385941CAD5

Function 007AD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 007AD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007AD3BF
FreeLibrary.KERNEL32(00000000), ref: 007AD3E5

Strings

X64, xrefs: 007AD2A8
GetSystemWow64DirectoryW, xrefs: 007AD3B9

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 75cf31f61f38699601b7081d800930443023a0979026992406a60ec09dc8cbc7
Instruction ID: 5ee6af6adb7d92970cbd37e941fc8f938b6901a33bb2c20ba9f80e02e76b9897
Opcode Fuzzy Hash: 75cf31f61f38699601b7081d800930443023a0979026992406a60ec09dc8cbc7
Instruction Fuzzy Hash: A6F055B8802621CBDB3263108C88A6D3225BF97B01F648358F803E5994DB7CCC88C683

Function 00754E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00754EDD,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754EAE
FreeLibrary.KERNEL32(00000000,?,?,00754EDD,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754EC0

Strings

kernel32.dll, xrefs: 00754E94
Wow64DisableWow64FsRedirection, xrefs: 00754EA8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4f1ca8bb46fdd48142e638a0cc5c42a381b881fe96a76842e46c2744e02e97c2
Instruction ID: 23bcd93773e1a16a60f665d33afa92505b519bf9041e44a61822fe2b5682e673
Opcode Fuzzy Hash: 4f1ca8bb46fdd48142e638a0cc5c42a381b881fe96a76842e46c2744e02e97c2
Instruction Fuzzy Hash: 13E0CD79E036225BD2331B296C1DBDF6559AF86F677054115FC00D7200DBBCCD4740A4

Function 00754E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00793CDE,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754E74
FreeLibrary.KERNEL32(00000000,?,?,00793CDE,?,00821418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00754E87

Strings

kernel32.dll, xrefs: 00754E5B
Wow64RevertWow64FsRedirection, xrefs: 00754E6E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ddbaa09d14546db2dcf58ecbb5fdc67c5079412b4b7a0f8d457bc327a121f09e
Instruction ID: 0e0a973b690e66477c5a5f70c6769203d2ba0e03835ec94bdf86104a438c6388
Opcode Fuzzy Hash: ddbaa09d14546db2dcf58ecbb5fdc67c5079412b4b7a0f8d457bc327a121f09e
Instruction Fuzzy Hash: 05D0C2799036A15766231B296C09DCB2A19AF89F163054114BC00E6110CFBCCD4281D4

Function 007C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007C2C05
DeleteFileW.KERNEL32(?), ref: 007C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007C2CC0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c3bbf4b01a926ddf440aa63f6ac6fbaf1f7c150c12ec5985af9f91276ee5d2e2
Instruction ID: 4525cdb85b93eae2c7a4fd9c4ea6d76463332897efa790149e83d9514904ca9f
Opcode Fuzzy Hash: c3bbf4b01a926ddf440aa63f6ac6fbaf1f7c150c12ec5985af9f91276ee5d2e2
Instruction Fuzzy Hash: CEB14E71901119EBDF21DFA4CC89EDEB77DEF08350F1040AAFA09E6142EB389A458F61

Function 007DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007DA468
CloseHandle.KERNEL32(?), ref: 007DA63D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 069b24debfb57dd47657f8adce164c52cc06cbb8a466282b0e2af74da517c6cf
Instruction ID: 9319487ee9c17d018fe67353dc559e12ea761102ece965bde0c7ab5ca6a02397
Opcode Fuzzy Hash: 069b24debfb57dd47657f8adce164c52cc06cbb8a466282b0e2af74da517c6cf
Instruction Fuzzy Hash: A2A18F71604300AFD720DF24D886B2AB7E5AF84714F18885DF95A9B3D2DBB4EC45CB92

Function 0078BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007F3700), ref: 0078BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0082121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0078BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00821270,000000FF,?,0000003F,00000000,?), ref: 0078BC36
_free.LIBCMT ref: 0078BB7F

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 0078BD4B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 870b28b865b8169e33c6914c2eb6ae3d60c611262af4617f7258cd67e8909869
Instruction ID: 5a45a97015375f5807211e957b9b5ce158b7a948d54b32ea749e118847fcf299
Opcode Fuzzy Hash: 870b28b865b8169e33c6914c2eb6ae3d60c611262af4617f7258cd67e8909869
Instruction Fuzzy Hash: 2951DC71940209EFCB20FF659C859AEBBBCFF54350B10426AF564D7291EB389E418B60

Function 007BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007BCF22,?), ref: 007BDDFD

Part of subcall function 007BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007BCF22,?), ref: 007BDE16

Part of subcall function 007BE199: GetFileAttributesW.KERNEL32(?,007BCF95), ref: 007BE19A

lstrcmpiW.KERNEL32(?,?), ref: 007BE473
MoveFileW.KERNEL32(?,?), ref: 007BE4AC
_wcslen.LIBCMT ref: 007BE5EB
_wcslen.LIBCMT ref: 007BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 007BE650

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 686f34dd2aa83c0e8efd5b458ae9a49e9269d47b7c7692c56e8d26c36b6f5673
Instruction ID: 2e50ce8d5336385b727f46c29d5ac9c5392cb0628400a43ecb3bd6b73fcf1e57
Opcode Fuzzy Hash: 686f34dd2aa83c0e8efd5b458ae9a49e9269d47b7c7692c56e8d26c36b6f5673
Instruction Fuzzy Hash: 885175B24083859BC724DBA4DC85ADFB3DCAF84340F00491EF689D3151EF78A58C8766

Function 007DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007DB6AE,?,?), ref: 007DC9B5
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DC9F1
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA68
Part of subcall function 007DC998: _wcslen.LIBCMT ref: 007DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007DBB63
RegCloseKey.ADVAPI32(?,?), ref: 007DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 007DBBB3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f888c4bd216bc37b593a5b76a14624a1bc7ebdd6d202787e9a313fff1b6f3b8c
Instruction ID: b4d0a84a696ccecb41cb4342b174da5da62b8c1936a12f637563d1f074615eb8
Opcode Fuzzy Hash: f888c4bd216bc37b593a5b76a14624a1bc7ebdd6d202787e9a313fff1b6f3b8c
Instruction Fuzzy Hash: B6619C70208241EFD714DF24C894E6ABBF5BF84308F15855EF4994B2A2DB35ED45CB92

Function 007B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B8BCD
VariantClear.OLEAUT32 ref: 007B8C3E
VariantClear.OLEAUT32 ref: 007B8C9D
VariantClear.OLEAUT32(?), ref: 007B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007B8D3B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 284aed188cb2e59bfa72c12ec147957b967acd04beebf15d0d458b86f23a9d5a
Instruction ID: 3cc2657ce996825b565b8f7327f4a495b56e14e8cfd568e292237d1758031e41
Opcode Fuzzy Hash: 284aed188cb2e59bfa72c12ec147957b967acd04beebf15d0d458b86f23a9d5a
Instruction Fuzzy Hash: 26516BB5A00219EFCB10CF68C894AAABBF8FF8D310B15855AE915DB350E734E911CB90

Function 007C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007C8C5F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d5a42cac537aa909988fe2eb7a446ef7f977a27a64be8107e571760bb97034da
Instruction ID: 5476d86c4c7702e03cbf87c2c29a3656ee6da927a8e449d9ebfb7bf5dfef862f
Opcode Fuzzy Hash: d5a42cac537aa909988fe2eb7a446ef7f977a27a64be8107e571760bb97034da
Instruction Fuzzy Hash: EE515A35A00214DFCB15DF64C884EA9BBF5FF48314F088498E849AB362DB79ED55CBA1

Function 007D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007D9032
FreeLibrary.KERNEL32(00000000), ref: 007D9052

Part of subcall function 0076F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,007C1043,?,7529E610), ref: 0076F6E6
Part of subcall function 0076F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,007AFA64,00000000,00000000,?,?,007C1043,?,7529E610,?,007AFA64), ref: 0076F70D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 48004f821c31fc94792db6f645af37f7e694f2bbbf70396876444db8b2c819e8
Instruction ID: 7ea9e58cb1e6800c630a61f23d0f3821c699e3fa79358a3d26ab34827a915c8f
Opcode Fuzzy Hash: 48004f821c31fc94792db6f645af37f7e694f2bbbf70396876444db8b2c819e8
Instruction Fuzzy Hash: 96514B35601245DFC715DF68C4848ADBBF1FF49314F088099E906AB362DB79ED86CB91

Function 007E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,007CAB79,00000000,00000000), ref: 007E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007E6CC7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 93153ac822384fd80eb34ad20260915119cdd55051d8378bf6697e4151773d82
Instruction ID: 4c325d04dc11e9ad41ed95281a5d22abcbeee60559a5433cc50d2d64e74500d0
Opcode Fuzzy Hash: 93153ac822384fd80eb34ad20260915119cdd55051d8378bf6697e4151773d82
Instruction Fuzzy Hash: 5741E535602184AFDB24CF2ACC88FA57BA5EB1D390F244264F855A72F0C379FD41C660

Function 00782051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007820C3
_free.LIBCMT ref: 007820E3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7e986709f9ae4776bc444cae4e7a6498a569d46a65bbc2639bf0df82aa71e09b
Instruction ID: 8a64dce6a6a80a09b7bf02cc344453af07eac9f6587da4a7aaf3368638645150
Opcode Fuzzy Hash: 7e986709f9ae4776bc444cae4e7a6498a569d46a65bbc2639bf0df82aa71e09b
Instruction Fuzzy Hash: 4441D172E40604DFCB20EF78C884A5DB7A5EF88310F2585A8E515EB392DA35ED02CB80

Function 0076912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00769141
ScreenToClient.USER32(00000000,?), ref: 0076915E
GetAsyncKeyState.USER32(00000001), ref: 00769183
GetAsyncKeyState.USER32(00000002), ref: 0076919D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 732b643106e095819e900d1bb26f20e7806e834514f6552e49a8d76ababd1deb
Instruction ID: dda5afa1a72635009e4bc4a0d6b08d050c29e4803089a18569889b2e200da3a3
Opcode Fuzzy Hash: 732b643106e095819e900d1bb26f20e7806e834514f6552e49a8d76ababd1deb
Instruction Fuzzy Hash: A641723150860EEBDF099F68C848BEEB7B8FB4A320F208315E925A6290D7385955CF91

Function 007C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 007C3922
TranslateMessage.USER32(?), ref: 007C394B
DispatchMessageW.USER32(?), ref: 007C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C3966

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 17a588da1b9ffed068ff2eae0c87aa682f694b04c5e3e71141754e8d32b3287a
Instruction ID: f9a07b4844c14c85b6833019ee9d4055c1f5dbbedf76067927ac4e3866128dce
Opcode Fuzzy Hash: 17a588da1b9ffed068ff2eae0c87aa682f694b04c5e3e71141754e8d32b3287a
Instruction Fuzzy Hash: 213186709043829EEF35CB34984CFB677E8BB15308F14C56DE466861A0E7BDB686CB21

Function 007CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,007CC21E,00000000), ref: 007CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 007CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,007CC21E,00000000), ref: 007CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,007CC21E,00000000), ref: 007CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,007CC21E,00000000), ref: 007CCFF2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d3d4aa161ee7e16b603c2bc33ba6505dc6db0d9506a2650f229ddf3cb7740863
Instruction ID: 4d1472313017e1c8a66454f47f80ed545d203cbc7f7ba6f71500c1fe312fce82
Opcode Fuzzy Hash: d3d4aa161ee7e16b603c2bc33ba6505dc6db0d9506a2650f229ddf3cb7740863
Instruction Fuzzy Hash: 54315072A00605EFDB22DFA5D884EABBBFDEB14350B10842EF51AD6140D738EE41DB60

Function 007B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007B19E2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 37d20f5df8162c2f1fefef78f1115e94b4fbe50d73b5184c7fc72a3bda6d8568
Instruction ID: d00364450f54c3cd6d023556f8083c4f377781f762651895b3cf4a084b9f0755
Opcode Fuzzy Hash: 37d20f5df8162c2f1fefef78f1115e94b4fbe50d73b5184c7fc72a3bda6d8568
Instruction Fuzzy Hash: C131C275900299EFCB04CFA8CDA9BDE3BB5EB09315F508225F921AB2D1C774AD44CB90

Function 007E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007E579D
_wcslen.LIBCMT ref: 007E57AF
_wcslen.LIBCMT ref: 007E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007E5816

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: a5f0b28630412d52d6d4a2fad96cb09501df64062762b3e612eefed9e0da6c06
Instruction ID: e100d8918407eae1fc877fa93ac4a9bdf288725fd6d22c8a545a5b3811145679
Opcode Fuzzy Hash: a5f0b28630412d52d6d4a2fad96cb09501df64062762b3e612eefed9e0da6c06
Instruction Fuzzy Hash: 9921933590569CDADB208F65CC84AEE77B8FF09328F108256E929EA1C1D7789985CF50

Function 007D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007D0951
GetForegroundWindow.USER32 ref: 007D0968
GetDC.USER32(00000000), ref: 007D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007D09B0
ReleaseDC.USER32(00000000,00000003), ref: 007D09E8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 32b82334dd576215501a9c5ffe0b7e19c654c1d4536b96d15949ac318c488d99
Instruction ID: 41dd3e7554cfa27f8d76502615f3f02079fbaae2ecd1572d5b47a90994a0127c
Opcode Fuzzy Hash: 32b82334dd576215501a9c5ffe0b7e19c654c1d4536b96d15949ac318c488d99
Instruction Fuzzy Hash: 5F216239600204EFD704EF65C898AAEB7F5EF48701F04846DE856DB352DB78AC05CB90

Function 0078CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0078CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0078CDE9

Part of subcall function 00783820: RtlAllocateHeap.NTDLL(00000000,?,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6,?,00751129), ref: 00783852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0078CE0F
_free.LIBCMT ref: 0078CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0078CE31

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7cb09ba4db132926f90e5cd56908e103e1839c0958ff05859bdd0c348d0e4d5f
Instruction ID: 17c389b7c6c9ae9a9df1aa6fffb59c8860bbbd626bc3f0f71c7d30f3fc6cc58c
Opcode Fuzzy Hash: 7cb09ba4db132926f90e5cd56908e103e1839c0958ff05859bdd0c348d0e4d5f
Instruction Fuzzy Hash: 9001D4726422557F232336BA6C8CC7B696DDFC6BA1315412DF905C7201EA788D0283B4

Function 00769639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00769693
SelectObject.GDI32(?,00000000), ref: 007696A2
BeginPath.GDI32(?), ref: 007696B9
SelectObject.GDI32(?,00000000), ref: 007696E2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c1af27dca9264d4bc1954eabd5b5497d59daa08a8349b24f0305cddcbeadd544
Instruction ID: 2661a0951fbe6b816fd5089d06f310703ee95f96f6c8e96b5524489aa14764b8
Opcode Fuzzy Hash: c1af27dca9264d4bc1954eabd5b5497d59daa08a8349b24f0305cddcbeadd544
Instruction Fuzzy Hash: C2218070802345EBDF219F24DC487A93FA8BB65315F608216F912A61B0D3789893CF94

Function 007B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007B5726
_memcmp.LIBVCRUNTIME ref: 007B5744
_memcmp.LIBVCRUNTIME ref: 007B5757
_memcmp.LIBVCRUNTIME ref: 007B576F
_memcmp.LIBVCRUNTIME ref: 007B5787

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d63afae8de37ea271eb3a1936572593d3123872da45e2c78e18cb0ccbad631dc
Instruction ID: 8b1194c229a8890a72b5189af602750522e70e50d348eb4d031999f8bd28b192
Opcode Fuzzy Hash: d63afae8de37ea271eb3a1936572593d3123872da45e2c78e18cb0ccbad631dc
Instruction Fuzzy Hash: 5B01B5B1742A09FBE60865259D86FFB735D9B25398F604020FD089A641FB7CEE1183B0

Function 00782DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0077F2DE,00783863,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6), ref: 00782DFD
_free.LIBCMT ref: 00782E32
_free.LIBCMT ref: 00782E59
SetLastError.KERNEL32(00000000,00751129), ref: 00782E66
SetLastError.KERNEL32(00000000,00751129), ref: 00782E6F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 462dcbacd92707a917132889c683fe02937633dc508db3a33db8469d397419ab
Instruction ID: f7c81bd06475f972ac11735112377c8ea44b4e9c79f7fb6fcc4632eff1cf65f6
Opcode Fuzzy Hash: 462dcbacd92707a917132889c683fe02937633dc508db3a33db8469d397419ab
Instruction Fuzzy Hash: CA01F9362C6600B7C61337386C8ED2B255DBFC57B3B214024F821A2193EF6C8C034329

Function 007B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?,?,007B035E), ref: 007B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?), ref: 007B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?), ref: 007B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?), ref: 007B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007AFF41,80070057,?,?), ref: 007B0070

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: de4692774012c06c8746727b7a8db1c385c50f98de845a797f81c3209c33fcae
Instruction ID: fde2bd799eb815545708b921684fc975a0cc19dad81e44dc86b1e1a6baed6672
Opcode Fuzzy Hash: de4692774012c06c8746727b7a8db1c385c50f98de845a797f81c3209c33fcae
Instruction Fuzzy Hash: 0201A27A601204BFDB125F68DC48BEB7AEDEF48791F148124F905DA210D779DD419BA0

Function 007BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 007BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 007BE9A5
Sleep.KERNEL32(00000000), ref: 007BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 007BE9B7
Sleep.KERNEL32 ref: 007BE9F3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4eea02d7dfe7d3c4b7d1bdf1aafc628fb675f44ea57d67d878914664db2ff968
Instruction ID: c0da879fb39b1d6185dc33c5350b04e54a63c59970d812be3f1ac5879c4cd9e0
Opcode Fuzzy Hash: 4eea02d7dfe7d3c4b7d1bdf1aafc628fb675f44ea57d67d878914664db2ff968
Instruction Fuzzy Hash: 91015775C0262DDBCF00ABE5D899AEDBB78BB0D311F004546E502B2241DB38A5598BA6

Function 007B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007B0B9B,?,?,?), ref: 007B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007B114D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f37dc4e3cc342caa1742c82b90e5a6065e05c8c63ffe33a4718716e50e429a82
Instruction ID: fe8aeab8ef145d7a25ce9c9f1e651ab5c709ab33645570126f6340bfb9aa4d3d
Opcode Fuzzy Hash: f37dc4e3cc342caa1742c82b90e5a6065e05c8c63ffe33a4718716e50e429a82
Instruction Fuzzy Hash: 7F018179101209BFDB124F68DC99EAA3F6EEF8A364B504418FA41C7350DB35DC018A60

Function 007B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007B1002

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3033c52a9e6da20c189cd07c824cdbe7eb21027fcf9120e653a0dcee05450894
Instruction ID: 8f90f46e3871fa7b589d0fb9fdd85201df6e2a2ce9af3e3f2032cfc9b887b280
Opcode Fuzzy Hash: 3033c52a9e6da20c189cd07c824cdbe7eb21027fcf9120e653a0dcee05450894
Instruction Fuzzy Hash: FEF0C279201345EBD7221FA4DC8DF963B6DEF8A761F508414FD05CB250CA38DC418A60

Function 007B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007B1062

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 329c4dcde1c5be20257e15ba22749a10a7c8c32514b325850439f99a6125ed22
Instruction ID: 830529c678921ed7a2e5ddafe0ce32e72736ece722964faaad3d76a79fa47624
Opcode Fuzzy Hash: 329c4dcde1c5be20257e15ba22749a10a7c8c32514b325850439f99a6125ed22
Instruction Fuzzy Hash: 94F06D79201345EBDB226FA4EC99F963BADEF8A761F504414FE45CB250CA78DC418A60

Function 007C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C0324
CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C0331
CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C033E
CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C034B
CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C0358
CloseHandle.KERNEL32(?,?,?,?,007C017D,?,007C32FC,?,00000001,00792592,?), ref: 007C0365

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 088df9a29f994a8247cf803d74db6712e5352a08379ccdbbab612d8d7f08271c
Instruction ID: 06957039fc110729fffbe59936b4bd633f844c0d608996157ab8546ac337f979
Opcode Fuzzy Hash: 088df9a29f994a8247cf803d74db6712e5352a08379ccdbbab612d8d7f08271c
Instruction Fuzzy Hash: 9C01D872800B81CFCB30AF66D880802FBF9BE603153058A3ED19252931C3B4A989CEC0

Function 0078D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0078D752

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 0078D764
_free.LIBCMT ref: 0078D776
_free.LIBCMT ref: 0078D788
_free.LIBCMT ref: 0078D79A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 36340f17f974cd0de07798137a6ab14daf5c58cff73ca211d69c0c3f752126c5
Instruction ID: b1dcb2b475e2ca40d934111d90bdb36044148a4c9146afe6751a5e49e8d7e1bb
Opcode Fuzzy Hash: 36340f17f974cd0de07798137a6ab14daf5c58cff73ca211d69c0c3f752126c5
Instruction Fuzzy Hash: C0F01D325C4204AB8631FB69F9CAC5A7BEDBF44721BA54805F048E7592CB3CFC818B64

Function 007B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 007B5C6F
MessageBeep.USER32(00000000), ref: 007B5C87
KillTimer.USER32(?,0000040A), ref: 007B5CA3
EndDialog.USER32(?,00000001), ref: 007B5CBD

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d3031ba942e438486f120c9431a4a2f527dcf5887ca453562a0fadf219e97caf
Instruction ID: 14f6be8bef532e3b13bd746d99f038023b7ec34a6186c87f416657b5da7323ae
Opcode Fuzzy Hash: d3031ba942e438486f120c9431a4a2f527dcf5887ca453562a0fadf219e97caf
Instruction Fuzzy Hash: 3C01F434500B44ABEB215B10DD8EFE67BB9BF04B01F001559B583A50E0DBF8A989CFA4

Function 007822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007822BE

Part of subcall function 007829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000), ref: 007829DE
Part of subcall function 007829C8: GetLastError.KERNEL32(00000000,?,0078D7D1,00000000,00000000,00000000,00000000,?,0078D7F8,00000000,00000007,00000000,?,0078DBF5,00000000,00000000), ref: 007829F0

_free.LIBCMT ref: 007822D0
_free.LIBCMT ref: 007822E3
_free.LIBCMT ref: 007822F4
_free.LIBCMT ref: 00782305

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bac7f52e90d6b51ab24a5ca2260c5a2741401b18d8afc3ee9fe7c5536d3e9bbf
Instruction ID: 64b65f020dda48572398988d19d5d03fcacfb7c1c10def6294edffcebac6937a
Opcode Fuzzy Hash: bac7f52e90d6b51ab24a5ca2260c5a2741401b18d8afc3ee9fe7c5536d3e9bbf
Instruction Fuzzy Hash: DFF030704C0110CB8A22BF54BC458483B68FB28772752851AF414E22B7CB3824539FA4

Function 007695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007695D4
StrokeAndFillPath.GDI32(?,?,007A71F7,00000000,?,?,?), ref: 007695F0
SelectObject.GDI32(?,00000000), ref: 00769603
DeleteObject.GDI32 ref: 00769616
StrokePath.GDI32(?), ref: 00769631

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9251f28b915d8b473e420ea8cd289e1a1350471a915f8d88baaaee2a0219ba26
Instruction ID: ee8dbf55e314452c264556fe75e5fa456351a19e77959681c9b7b03bba0b4ac4
Opcode Fuzzy Hash: 9251f28b915d8b473e420ea8cd289e1a1350471a915f8d88baaaee2a0219ba26
Instruction Fuzzy Hash: 8AF06934006388EBCB224F24EC4CBA43F64BB15322F64C214F926590F0C73889A3DF24

Function 00780F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007810F9
__freea.LIBCMT ref: 00781117

Part of subcall function 00781537: _free.LIBCMT ref: 0078154F

Strings

a/p, xrefs: 007811DE
am/pm, xrefs: 0078117A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b7c650b45ccbaaa224a54ce6763c04fe336720dabd67ba6301e088af5baeef31
Instruction ID: 82f9bc22d808791440b34c34358e76c511c4149dc4c54f090061ad3d2a8cc48a
Opcode Fuzzy Hash: b7c650b45ccbaaa224a54ce6763c04fe336720dabd67ba6301e088af5baeef31
Instruction Fuzzy Hash: 86D12731E80206CACB24BF68C859BFEB7B8FF06700FA44159E5059BA51D37D9D82CB91

Function 00785AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOu, xrefs: 00785BA8, 00785C6C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: JOu
API String ID: 0-3586262909
Opcode ID: eb7cbf64510e995231c97c70a0d27d172d795ecaeaadd0d4b41cc17071800237
Instruction ID: 985c5d9157145b07df60041bbedc8b40866ab1b8372caac7d24e1287ae5a719a
Opcode Fuzzy Hash: eb7cbf64510e995231c97c70a0d27d172d795ecaeaadd0d4b41cc17071800237
Instruction Fuzzy Hash: 7B51CFB5D8060AEFCF21BFA5C949FEEBFB8AF15310F14405AF405A7292D6399901CB61

Function 00788A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00788B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00788B7A
__dosmaperr.LIBCMT ref: 00788B81

Strings

.w, xrefs: 00788A63

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .w
API String ID: 2434981716-1741142609
Opcode ID: 90df3ad000047bffd2e53619e28b4975e19199a45ee026a85b986ac36d31970d
Instruction ID: 4065aaa1d6aaace8503a12e7b7039a5b50e8a5b4fb7dccc36ba81511936f6578
Opcode Fuzzy Hash: 90df3ad000047bffd2e53619e28b4975e19199a45ee026a85b986ac36d31970d
Instruction Fuzzy Hash: AE418EF0644145AFCB65AF24C884A7D7FA6EFC5300B68C1A9F8548B683DE398C029752

Function 007B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007B21D0,?,?,00000034,00000800,?,00000034), ref: 007BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007B2760

Part of subcall function 007BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007BB3F8

Part of subcall function 007BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007BB355
Part of subcall function 007BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007B2194,00000034,?,?,00001004,00000000,00000000), ref: 007BB365
Part of subcall function 007BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007B2194,00000034,?,?,00001004,00000000,00000000), ref: 007BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007B281A

Strings

@, xrefs: 007B2832

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6a4836fe6efc0fe10ba9f0f65dd61c79f31321a70557edcdbd2585e011fa4000
Instruction ID: ac990019e5657122a9b28c19abb81c74796a082592c2e8a00d27d83ebede849b
Opcode Fuzzy Hash: 6a4836fe6efc0fe10ba9f0f65dd61c79f31321a70557edcdbd2585e011fa4000
Instruction Fuzzy Hash: 5E414C76901218AFDB10DFA4CD85BEEBBB8EF09700F008095FA55B7181DB746E46CBA0

Function 0078172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00781769
_free.LIBCMT ref: 00781834
_free.LIBCMT ref: 0078183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00781760, 00781767, 00781796, 007817CE

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 01e40eb6d574bbfb4dafba86345670b4736bbe54d918ea94bd8ce5d11abd950b
Instruction ID: 56f5c885403507a5824afd88ac8e3d4c220b10e816cf510b29953b4015e44e72
Opcode Fuzzy Hash: 01e40eb6d574bbfb4dafba86345670b4736bbe54d918ea94bd8ce5d11abd950b
Instruction Fuzzy Hash: 0B31C571A80218EFDB21EF99DC89D9EBBFCEB95320F60416AF404D7211D6745E42CB90

Function 007BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 007BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00821990,016F56E0), ref: 007BC395

Strings

0, xrefs: 007BC2DF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 36b8299a7c9323937ff782def4b4a8d9e72b7093d33d75b18c1246c1e649c00d
Instruction ID: f030c5b3fa3293b3fe05edc8452b4ad9e66ca96f4a3e6a93e01004b1badd3136
Opcode Fuzzy Hash: 36b8299a7c9323937ff782def4b4a8d9e72b7093d33d75b18c1246c1e649c00d
Instruction Fuzzy Hash: F941AE31204341DFD722DF24D889F9ABBE4AF85320F14CA1EF9A5972D1D778A904CB62

Function 007E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007ECC08,00000000,?,?,?,?), ref: 007E44AA
GetWindowLongW.USER32 ref: 007E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007E44D7

Strings

SysTreeView32, xrefs: 007E447C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 000ef1bcfde368fb02b31f77230304202e36eae4facf5dcd0bf151bf643e04ff
Instruction ID: 5ed6ab74c80fda509fbe01e4fffe05c9afdc228d8e1993c3c3eb02d433bceecb
Opcode Fuzzy Hash: 000ef1bcfde368fb02b31f77230304202e36eae4facf5dcd0bf151bf643e04ff
Instruction Fuzzy Hash: 0B31AD71201285AFDF219E39DC45BEB77A9EB09334F204325F979921E0D778EC519750

Function 007B6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 007B6EED
VariantCopyInd.OLEAUT32(?,?), ref: 007B6F08
VariantClear.OLEAUT32(?), ref: 007B6F12

Strings

*j{, xrefs: 007B6E8B, 007B6E90, 007B6EF8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j{
API String ID: 2173805711-2455646653
Opcode ID: cf5056fb4a92a3c803b04b29a13aa0afaeed1101b38f24411a5a0ce154294adf
Instruction ID: 02d6e93b092e90fc48427adcb8964d35b713f074fdb7f8f1fea38e666db72a85
Opcode Fuzzy Hash: cf5056fb4a92a3c803b04b29a13aa0afaeed1101b38f24411a5a0ce154294adf
Instruction Fuzzy Hash: 5731F471604245DFCB09AFA4E898AFE3775FF85701B1004A8FA025B2A1C77C9D16CBD0

Function 007D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007D3077,?,?), ref: 007D3378

inet_addr.WSOCK32(?), ref: 007D307A
_wcslen.LIBCMT ref: 007D309B
htons.WSOCK32(00000000), ref: 007D3106

Strings

255.255.255.255, xrefs: 007D3095, 007D309A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7cacea8a6d560d53ba0ec84eade20d20f437aab77614979711d369b1f784feae
Instruction ID: 2fd1384c61110f0e694c8568621d597f3df88dc93828817eb54d55e2697db37b
Opcode Fuzzy Hash: 7cacea8a6d560d53ba0ec84eade20d20f437aab77614979711d369b1f784feae
Instruction Fuzzy Hash: 4231D339200206DFDB10CF68C586EAA77F1EF14318F24C15AE9158B392DB7AEE45C762

Function 007E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007E3F78

Strings

SysMonthCal32, xrefs: 007E3F0B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: eec43464761fb45a78fec1accce7324a24e7fd00501249dff29f379cfa4d1209
Instruction ID: a2abbb1ada8f51e7ca663f016445fedb40604c2ba273dc204322cff946509896
Opcode Fuzzy Hash: eec43464761fb45a78fec1accce7324a24e7fd00501249dff29f379cfa4d1209
Instruction Fuzzy Hash: C221AD32600259BBDF218E54CC8AFEA3B79EF4C714F110214FA15AB1D0D6B9A9518B90

Function 007E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007E471A

Strings

msctls_updown32, xrefs: 007E4684

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: cebbc6159c2f3791f448f76f3017b6542fa80d5563f7094bcc6110a8cdb24e48
Instruction ID: 3c7c66675bb0645e864f2a03393fb515c8fce37c2431ea2a230851516ea1160e
Opcode Fuzzy Hash: cebbc6159c2f3791f448f76f3017b6542fa80d5563f7094bcc6110a8cdb24e48
Instruction Fuzzy Hash: 16218CB5601248AFDB11DF69DCC5DA737ADEB5E3A4B100059FA009B391CB74EC52CAA0

Function 007B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B961D

Strings

#requireadmin, xrefs: 007B95D9
#OnAutoItStartRegister, xrefs: 007B95F3
#notrayicon, xrefs: 007B95B7

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: db5274811f4095b8ec4c3a7e74eb37198a1f7c6c2b05c598fe9141c03dc023dd
Instruction ID: 5fd45525f68fdc193c7c3a7e9888c334ace7f0821b1e80f6a27e3639170aea68
Opcode Fuzzy Hash: db5274811f4095b8ec4c3a7e74eb37198a1f7c6c2b05c598fe9141c03dc023dd
Instruction Fuzzy Hash: 24216D72144510B6C731AB25DC0AFFB73E8DF55304F508026FB6997081EB9DAD55C2D5

Function 007E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007E3876

Strings

Listbox, xrefs: 007E380F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ae8ea61b59b19194e6cb74bff1688dbafd7f8df2408c054646cc1c455243ac43
Instruction ID: b4e5971e929239b46c821bcd3130fb06a96ba747f5075562499ac3293fdf9315
Opcode Fuzzy Hash: ae8ea61b59b19194e6cb74bff1688dbafd7f8df2408c054646cc1c455243ac43
Instruction Fuzzy Hash: 88218072611158BBEF219F56CC89EAB376EEF8D764F108124F9049B190C679DC5287A0

Function 007C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007C4A5C
SetErrorMode.KERNEL32(00000000,?,?,007ECC08), ref: 007C4AD0

Strings

%lu, xrefs: 007C4A6F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: bdc923bd842bc54cea6150192e536162f5318efb24714b47cb12162bb8137d21
Instruction ID: d0a7a87756ab72ceb4aaf94a3c79e94d08aba7bc7a9f9ca6a42cad8479b37fd6
Opcode Fuzzy Hash: bdc923bd842bc54cea6150192e536162f5318efb24714b47cb12162bb8137d21
Instruction Fuzzy Hash: AA314F75A00109EFDB10DF64C885EAA77F8EF09308F148099E909DB252D779ED46CB61

Function 007E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007E4271

Strings

msctls_trackbar32, xrefs: 007E4226

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e2b1b88a429607d7e32d9c7ac05dda2790907aeb6440b12a846dd74404a16012
Instruction ID: cd80bc586e4566cbd236380135f075353899d1dd1922e5e4d0aab38abae4b281
Opcode Fuzzy Hash: e2b1b88a429607d7e32d9c7ac05dda2790907aeb6440b12a846dd74404a16012
Instruction Fuzzy Hash: AB110631240288BEEF205F29CC46FAB3BACFF99B64F114124FA55E6090D275DC619B10

Function 007B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00756B57: _wcslen.LIBCMT ref: 00756B6A

Part of subcall function 007B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007B2DC5
Part of subcall function 007B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 007B2DD6
Part of subcall function 007B2DA7: GetCurrentThreadId.KERNEL32 ref: 007B2DDD
Part of subcall function 007B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007B2DE4

GetFocus.USER32 ref: 007B2F78

Part of subcall function 007B2DEE: GetParent.USER32(00000000), ref: 007B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 007B2FC3
EnumChildWindows.USER32(?,007B303B), ref: 007B2FEB

Strings

%s%d, xrefs: 007B2FFF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e9313c3914012b15e29bfe494779dfca76284376325a8f344b7214da0ce758c3
Instruction ID: ac997fa21f0e3878b43fd8df50e28934c12199daa5d46fa6e7f509a71ad0a8d4
Opcode Fuzzy Hash: e9313c3914012b15e29bfe494779dfca76284376325a8f344b7214da0ce758c3
Instruction Fuzzy Hash: C61190B5700205ABDF557F608CCAFEE376AAF98304F148075FD099B252DE78994A8B60

Function 007E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007E58EE
DrawMenuBar.USER32(?), ref: 007E58FD

Strings

0, xrefs: 007E588F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4e09ed26b54333a93bff150a171097ece8ff711001132d606c57b8af93151ccf
Instruction ID: e3d21517e65061888a030903b047bbd23d4370f1e30cac81a6f2767fc9cd957d
Opcode Fuzzy Hash: 4e09ed26b54333a93bff150a171097ece8ff711001132d606c57b8af93151ccf
Instruction Fuzzy Hash: D401613150129CEFDB119F12DC44BEEBBB4FB49368F108099E949DA151DB389A94DF21

Function 007B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10764aa505963ef04041560f804f06a7e1d79dcdb254d2b73a4db770dc99768b
Instruction ID: 5ef9e44293c350d8e3a7a7c478a2ea6e66cf0df9e03cae861f196f7efc59fb66
Opcode Fuzzy Hash: 10764aa505963ef04041560f804f06a7e1d79dcdb254d2b73a4db770dc99768b
Instruction Fuzzy Hash: 28C14A75A0020AEFDB14CFA8C898BAEB7B5FF48714F208598E505EB251D735EE41DB90

Function 007D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007D3459
CoUninitialize.OLE32 ref: 007D3463
VariantInit.OLEAUT32(?), ref: 007D346E
VariantClear.OLEAUT32(?), ref: 007D371B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b57c451e22fdfac0db367ef623f962126c2f0418c653ddf2d1f1c758f1b2849b
Instruction ID: 05517ee3e2d8dc777a2597e8ab587b1e3b1b0721beaff31872e0dd241a285b50
Opcode Fuzzy Hash: b57c451e22fdfac0db367ef623f962126c2f0418c653ddf2d1f1c758f1b2849b
Instruction Fuzzy Hash: 05A13975204200DFC704DF28C589A6AB7F5FF88715F04885AF98A9B362DB78ED05CB92

Function 007B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007EFC08,?), ref: 007B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007EFC08,?), ref: 007B0608
CLSIDFromProgID.OLE32(?,?,00000000,007ECC40,000000FF,?,00000000,00000800,00000000,?,007EFC08,?), ref: 007B062D
_memcmp.LIBVCRUNTIME ref: 007B064E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c183a942124f4c8085a0a6c3c5bc2d47c1f19a1499df942d397754472061f7e5
Instruction ID: fbf55899c6dd11a219f80314872a12ba1cf90cafb1b24d927e63b7432087c386
Opcode Fuzzy Hash: c183a942124f4c8085a0a6c3c5bc2d47c1f19a1499df942d397754472061f7e5
Instruction Fuzzy Hash: 70810C75A00109EFCB04DF94C988EEEB7B9FF89315F204558F516AB250DB75AE06CBA0

Function 007DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007DA6BA

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Process32NextW.KERNEL32(00000000,?), ref: 007DA79C
CloseHandle.KERNEL32(00000000), ref: 007DA7AB

Part of subcall function 0076CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00793303,?), ref: 0076CE8A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 87cb4c50451c0a7e464d3863ece6ff8d5ed6cc43675214dae972af41083e6353
Instruction ID: c9b784202783c992bd13838411200b47dcd6ebb4ccf2c36e03abec9281534914
Opcode Fuzzy Hash: 87cb4c50451c0a7e464d3863ece6ff8d5ed6cc43675214dae972af41083e6353
Instruction Fuzzy Hash: C1511D71508340EFD710DF24D885A6BBBE8FF89754F40491DF98597251EB74E908CB92

Function 00791391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007914C0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cad0ecf85fd29cf3da04dbec2a3c5026ca044eda754a7490aa14263b4cccc918
Instruction ID: 1d10dcad5fa014266d85640436494fa6c35be49a53e0bd23639d02bc82a2c44a
Opcode Fuzzy Hash: cad0ecf85fd29cf3da04dbec2a3c5026ca044eda754a7490aa14263b4cccc918
Instruction Fuzzy Hash: 1F418131640142EBDF21BBFCAC496BE3AE4FF49370F654225F41CD61A2E63C88215762

Function 007E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007E62E2
ScreenToClient.USER32(?,?), ref: 007E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007E6382

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1c4a0f993b00a58270c8bd423b9ed04f3cdc9e04a8517287cbee7f3698614a86
Instruction ID: ff68e03c655ac949f39bb7861f21b1256330d956af9fb16468a6ac9337e83e56
Opcode Fuzzy Hash: 1c4a0f993b00a58270c8bd423b9ed04f3cdc9e04a8517287cbee7f3698614a86
Instruction Fuzzy Hash: F7515F74901285EFCF10DF69D8849AE7BB6FF693A0F108159F9159B290D734ED81CB50

Function 007D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007D1AFD
WSAGetLastError.WSOCK32 ref: 007D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007D1B8A
WSAGetLastError.WSOCK32 ref: 007D1B94

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8556db65d3ab4de4c49c29c0663086c8ae9f1182ecbf656f9a776a848f4fee7d
Instruction ID: 8d26c6dcad7040310960caa842179e7c1e6466ecdba13e4a9937a795b2c17c1f
Opcode Fuzzy Hash: 8556db65d3ab4de4c49c29c0663086c8ae9f1182ecbf656f9a776a848f4fee7d
Instruction Fuzzy Hash: B941B575600200AFE720AF24C88AF6677E5AB44718F94C44DF91A9F3D2D7BAED41CB90

Function 0078B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817ed0ae329d0296e91d3bfbbeee4255c622f9bf1f775e6010d4a8d0dbacafb4
Instruction ID: dbdd686559a47024b6691ba6500104ad320586fa22449881d5a165404f280718
Opcode Fuzzy Hash: 817ed0ae329d0296e91d3bfbbeee4255c622f9bf1f775e6010d4a8d0dbacafb4
Instruction Fuzzy Hash: 34413C71A40344FFD724AF38CC46B6E7BE9EB88710F10452EF54ADB292D379A9118790

Function 007C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007C5783
GetLastError.KERNEL32(?,00000000), ref: 007C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007C57FA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7076e1cb60c02f742944c0ee4c6a69a4d6c5ec606ea66afd7de112f9c256e80c
Instruction ID: 2c0e7b801ae6881f70e39fa9221f3d573da0335185079e49dc09243f568888a1
Opcode Fuzzy Hash: 7076e1cb60c02f742944c0ee4c6a69a4d6c5ec606ea66afd7de112f9c256e80c
Instruction Fuzzy Hash: 91412C39600610DFCB15DF15C448A5EBBE2AF89321B19C488EC4A5B362DB79FD45CB91

Function 0078D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00776D71,00000000,00000000,007782D9,?,007782D9,?,00000001,00776D71,?,00000001,007782D9,007782D9), ref: 0078D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0078D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0078D9AB
__freea.LIBCMT ref: 0078D9B4

Part of subcall function 00783820: RtlAllocateHeap.NTDLL(00000000,?,00821444,?,0076FDF5,?,?,0075A976,00000010,00821440,007513FC,?,007513C6,?,00751129), ref: 00783852

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d9d0225338450cf13348b95237fa97d8e3f92bff0566677854b1f1b4c4af80d4
Instruction ID: 717c515d1b9237a221f9ccc8f7165bbec6903e71e942e909886a309e11c03336
Opcode Fuzzy Hash: d9d0225338450cf13348b95237fa97d8e3f92bff0566677854b1f1b4c4af80d4
Instruction Fuzzy Hash: 4D31C172A0021AABDF25EF65DC85EAE7BA5EF40710F054168FC08DB191EB39DD51CB90

Function 007E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007E5352
GetWindowLongW.USER32(?,000000F0), ref: 007E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007E53A8

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 709af4f92d97c42e9b7432a20df388e94561afa778f7f97330a6c485df96d655
Instruction ID: 7a6bf06884e81441c50227cc083604116b9d2ea14d90bcbec54c5d98d3346ce3
Opcode Fuzzy Hash: 709af4f92d97c42e9b7432a20df388e94561afa778f7f97330a6c485df96d655
Instruction Fuzzy Hash: 5331E634A57A8CEFEF309B16CC45BE97765AB0D39CF644101FA10961E1C7BC9D409741

Function 007BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 007BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 007BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 007BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 007BACC6

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 63ae54129e61354627ae59a94e0bf343c65607a53b98cafd4dab8a35ec9402a9
Instruction ID: 6ec33c874a8bb06dcd1197db281d95c2e85b16920043982f088ed1d52c7d4d1c
Opcode Fuzzy Hash: 63ae54129e61354627ae59a94e0bf343c65607a53b98cafd4dab8a35ec9402a9
Instruction Fuzzy Hash: A4312630A00358BFFF35EB648C49BFE7FA6AB89310F04421AE491961D1D37C898187B2

Function 007E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007E769A
GetWindowRect.USER32(?,?), ref: 007E7710
PtInRect.USER32(?,?,007E8B89), ref: 007E7720
MessageBeep.USER32(00000000), ref: 007E778C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cef0475eba8ec2b3a79280cdec84ec0bfd02c167aa1ef6835f173b6126aa0c28
Instruction ID: 99af9c4215968df15565460c77e35fafb8ef69d2d8acfe5e6f147aa184a1abd9
Opcode Fuzzy Hash: cef0475eba8ec2b3a79280cdec84ec0bfd02c167aa1ef6835f173b6126aa0c28
Instruction Fuzzy Hash: F241A034606294DFDB15CF5AC898EA9BBF4FB4D314F5580A8E5149F261C334A982CF90

Function 007E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007E16EB

Part of subcall function 007B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007B3A57
Part of subcall function 007B3A3D: GetCurrentThreadId.KERNEL32 ref: 007B3A5E
Part of subcall function 007B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007B25B3), ref: 007B3A65

GetCaretPos.USER32(?), ref: 007E16FF
ClientToScreen.USER32(00000000,?), ref: 007E174C
GetForegroundWindow.USER32 ref: 007E1752

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9deeb02a95e6b3e4fdb1e27ed61bf31717b5a9b29127fac6491fcd42c8c00959
Instruction ID: d89eebbb94d90f279803a1f574ede21f2940ce11811c15e920efb3916e7a0006
Opcode Fuzzy Hash: 9deeb02a95e6b3e4fdb1e27ed61bf31717b5a9b29127fac6491fcd42c8c00959
Instruction Fuzzy Hash: 9D318175D00248EFC700EFAAC885DEEBBF9EF48304B5480A9E415E7251DB789E45CBA0

Function 007BDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00757620: _wcslen.LIBCMT ref: 00757625

_wcslen.LIBCMT ref: 007BDFCB
_wcslen.LIBCMT ref: 007BDFE2
_wcslen.LIBCMT ref: 007BE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 007BE018

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: ed1d7f1f34f9968786df6c52ddc7a0b9cb8a098fd2c31831f2f204415beaf08f
Instruction ID: ba03def54b7c657da87bfe6c533c77cbe8ac3eec37a24df104e51cade110b1e8
Opcode Fuzzy Hash: ed1d7f1f34f9968786df6c52ddc7a0b9cb8a098fd2c31831f2f204415beaf08f
Instruction Fuzzy Hash: D1219171900214EFCB21AFA8D985BAEB7F8EF49750F144065E905BB341D7789E418BA1

Function 007E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

GetCursorPos.USER32(?), ref: 007E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007A7711,?,?,?,?,?), ref: 007E9016
GetCursorPos.USER32(?), ref: 007E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007A7711,?,?,?), ref: 007E9094

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6174c7eb61c52e11d8db753882d7da9f67ffc86e0b0920b148b906f9d8466fc4
Instruction ID: 72ae21da596d3d77da83c03d54fc4779ee3fd83006596123abea8c83a31b69b9
Opcode Fuzzy Hash: 6174c7eb61c52e11d8db753882d7da9f67ffc86e0b0920b148b906f9d8466fc4
Instruction Fuzzy Hash: 8A21F676201158EFCB268F95CC98EFA7BB9FF4D310F504055FA058B161C3399A91DB60

Function 007BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007ECB68), ref: 007BD2FB
GetLastError.KERNEL32 ref: 007BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 007BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007ECB68), ref: 007BD376

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4be1ad089d63954ed90343165342b2b6c990d0911c8dd666c93aafc282035006
Instruction ID: edf6ef72377f348cedab2229ff4d20e58ceba0b0e3a0c9c784555f4528d2047a
Opcode Fuzzy Hash: 4be1ad089d63954ed90343165342b2b6c990d0911c8dd666c93aafc282035006
Instruction Fuzzy Hash: A5217174505301DF8720DF28C8855EAB7E8AE59364F104A1DF899C72A2E739DD4ACB93

Function 007B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007B102A
Part of subcall function 007B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007B1036
Part of subcall function 007B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007B1045
Part of subcall function 007B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007B104C
Part of subcall function 007B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007B15BE
_memcmp.LIBVCRUNTIME ref: 007B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B1617
HeapFree.KERNEL32(00000000), ref: 007B161E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ae1246b169ae74b5680f9ac729887e747eb54242911a6341bb9f0a4b4f4668a6
Instruction ID: 5777e561daa4175c1890587f666fcaa09995cc3a608cfddcb29e387051836cd2
Opcode Fuzzy Hash: ae1246b169ae74b5680f9ac729887e747eb54242911a6341bb9f0a4b4f4668a6
Instruction Fuzzy Hash: 3721B371E01108EFDF10DFA4C955BEEB7B8EF44344F898459E441AB241EB38AE05CB90

Function 007E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007E2840

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 275f4ae41333e08324654043253950405fec5014858c9c39ddd6edfa08ea9173
Instruction ID: 82969a1135e798a0715516a0fa32da1d8016f9629db3055871e29c04f01c4840
Opcode Fuzzy Hash: 275f4ae41333e08324654043253950405fec5014858c9c39ddd6edfa08ea9173
Instruction Fuzzy Hash: 45210635206190AFD7159B25CC45FAA77A9AF49324F148158F816CB2D3CB79FC43C790

Function 007B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007B790A,?,000000FF,?,007B8754,00000000,?,0000001C,?,?), ref: 007B8D8C
Part of subcall function 007B8D7D: lstrcpyW.KERNEL32(00000000,?,?,007B790A,?,000000FF,?,007B8754,00000000,?,0000001C,?,?,00000000), ref: 007B8DB2
Part of subcall function 007B8D7D: lstrcmpiW.KERNEL32(00000000,?,007B790A,?,000000FF,?,007B8754,00000000,?,0000001C,?,?), ref: 007B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,007B8754,00000000,?,0000001C,?,?,00000000), ref: 007B7923
lstrcpyW.KERNEL32(00000000,?,?,007B8754,00000000,?,0000001C,?,?,00000000), ref: 007B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,007B8754,00000000,?,0000001C,?,?,00000000), ref: 007B7984

Strings

cdecl, xrefs: 007B797B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0338a04256a0d0e9a926ff5d0f6b0a06f1b66928eb85c581c0ca4a6492a34e3e
Instruction ID: 2b1cbd4e5df4e17fdc0d77e8cf59b5b5cf1e3088946d771141af1356dbe26b7a
Opcode Fuzzy Hash: 0338a04256a0d0e9a926ff5d0f6b0a06f1b66928eb85c581c0ca4a6492a34e3e
Instruction Fuzzy Hash: 3B11E93A201341EBCB199F34D845EBA77A9FF89350B50802AF946CB264EB39D811C751

Function 007E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007CB7AD,00000000), ref: 007E7D6B

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1ae01f80400a96aca67910732af38c48c820187ac1e4c8de86b9c4b5a7a75ec6
Instruction ID: 21d6ddd0fa9f8c1486c858ce04fadfac92496e8fdb44654339009fd5d2aeec32
Opcode Fuzzy Hash: 1ae01f80400a96aca67910732af38c48c820187ac1e4c8de86b9c4b5a7a75ec6
Instruction Fuzzy Hash: A811AE31206694AFCB158F29CC48A763BA8FF49360B258324F839CB2F0E7348951DB50

Function 007E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007E56BB
_wcslen.LIBCMT ref: 007E56CD
_wcslen.LIBCMT ref: 007E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007E5816

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4aa115572f08eb7012b81568279efae43ba373b234283cb39e12b863f90ebb9e
Instruction ID: 9dd6935189b2adf653974614a55572a41a86fbea859b31b499ab43ad6503ecd3
Opcode Fuzzy Hash: 4aa115572f08eb7012b81568279efae43ba373b234283cb39e12b863f90ebb9e
Instruction Fuzzy Hash: FA11063560268DA6DF209F66CCC5EEE376CEF19768F108066F915D6081E778D980CB60

Function 00781D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509be2b42c490e1c9c0e6594fc57a8d2261d62cdbc685f39fbf067bdcad57eb4
Instruction ID: 1a0f87eabd81bce4083490487f7bf440294dfc855a6e4ea884584fcd973c8ad5
Opcode Fuzzy Hash: 509be2b42c490e1c9c0e6594fc57a8d2261d62cdbc685f39fbf067bdcad57eb4
Instruction Fuzzy Hash: 9A01FDB238A60ABEF62136786CC4F27661CEF413B8B750725F520A11D2DB789C024330

Function 007B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007B1A8A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 13b55c1616740a784467c21eab40f3d35838ced60bcf470279bb9b096b23d320
Instruction ID: eb061cdec0c750cef5ee8ca322b61fdbcbaf6965abd13e50ceebdeeac7013997
Opcode Fuzzy Hash: 13b55c1616740a784467c21eab40f3d35838ced60bcf470279bb9b096b23d320
Instruction Fuzzy Hash: 7611273A901219FFEB119BA4CD85FEDBB78EB08750F604091EA00B7290D6716E50DB94

Function 007BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 007BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007BE24D

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 80c52bc493ae2fbb89c32cde0098ff0bb3ea673926bf2eb43b2c6d7400fbde3d
Instruction ID: 448ba1a47bc0798350de6c0396dfe4d64b02d96e4c8626e90312e9dd7ced12dd
Opcode Fuzzy Hash: 80c52bc493ae2fbb89c32cde0098ff0bb3ea673926bf2eb43b2c6d7400fbde3d
Instruction Fuzzy Hash: CA11E1B6904258ABCB11DBA89C4DADA7BADBB45320F108259F825E7391D7B89D0187A0

Function 0077D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0077CFF9,00000000,00000004,00000000), ref: 0077D218
GetLastError.KERNEL32 ref: 0077D224
__dosmaperr.LIBCMT ref: 0077D22B
ResumeThread.KERNEL32(00000000), ref: 0077D249

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5729f86183d2fcae023d59cb4cd10f720471a5a1a9ae9ec8d5c47503d4ac541d
Instruction ID: a212d2c8e11dba5556a077f5840e8e76130bad72362a5fad54bdd3340d67a3e8
Opcode Fuzzy Hash: 5729f86183d2fcae023d59cb4cd10f720471a5a1a9ae9ec8d5c47503d4ac541d
Instruction Fuzzy Hash: FE012636405208BBCF215BA5DC09BAE3A78EF853B1F20C219F928960D1CB788D02C6A1

Function 007E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00769BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00769BB2

GetClientRect.USER32(?,?), ref: 007E9F31
GetCursorPos.USER32(?), ref: 007E9F3B
ScreenToClient.USER32(?,?), ref: 007E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007E9F7A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a6632fd1ebede43d4695c3b4c0fce8b0f751d2f455dc4777419c2e5e719b8572
Instruction ID: 4259d02e530e4763d72f5e99acc0283addee0e19b197b92257d3f89331aec3fc
Opcode Fuzzy Hash: a6632fd1ebede43d4695c3b4c0fce8b0f751d2f455dc4777419c2e5e719b8572
Instruction Fuzzy Hash: 40118C7690225AEBCF11DF59D8899EE77B8FB09301F104451FA01E7141C338BA82CBA1

Function 0075600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0075604C
GetStockObject.GDI32(00000011), ref: 00756060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0075606A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9cbe253024107fb249d273959b31d6f76ee69c40f88eb05b6f396f11ea1c36f9
Instruction ID: d1be156212ee479c6965fd6a69ed0afdcc66aa67f17fd78ba5e5936ce0ae286a
Opcode Fuzzy Hash: 9cbe253024107fb249d273959b31d6f76ee69c40f88eb05b6f396f11ea1c36f9
Instruction Fuzzy Hash: 4A11A172102548BFEF124F94DC44EEA7B69FF0C365F404201FE0856050C77A9C61DB90

Function 00773B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00773B56

Part of subcall function 00773AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00773AD2
Part of subcall function 00773AA3: ___AdjustPointer.LIBCMT ref: 00773AED

_UnwindNestedFrames.LIBCMT ref: 00773B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00773B7C
CallCatchBlock.LIBVCRUNTIME ref: 00773BA4

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: bbf044eeee2bcc55ef3afd061ca0b944283a5c71ca68e0dfa646ac21e8e2144c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 52012972100148FBDF125E95CC4AEEB3B6AEF48794F048018FE5C56121C73AE961EBA0

Function 00783073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007513C6,00000000,00000000,?,0078301A,007513C6,00000000,00000000,00000000,?,0078328B,00000006,FlsSetValue), ref: 007830A5
GetLastError.KERNEL32(?,0078301A,007513C6,00000000,00000000,00000000,?,0078328B,00000006,FlsSetValue,007F2290,FlsSetValue,00000000,00000364,?,00782E46), ref: 007830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0078301A,007513C6,00000000,00000000,00000000,?,0078328B,00000006,FlsSetValue,007F2290,FlsSetValue,00000000), ref: 007830BF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d44f0c509b8f77e147dbd86c5e70809576acab80f21ef57397f657e0baa36bac
Instruction ID: c32accf6587dd8e0c94cd727b5a4b25d57ce9468204656a947e3485bf102c800
Opcode Fuzzy Hash: d44f0c509b8f77e147dbd86c5e70809576acab80f21ef57397f657e0baa36bac
Instruction Fuzzy Hash: CC01F736382326ABCB315BBD9C849677B9AAF09F71B204720F915E7140C729D902C7E0

Function 007B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 007B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007B74CA

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8aba1a74d01f67e010c833d2e67b8cce00bd195384724ddc4143c2b03414f34b
Instruction ID: 670f7eba7130008d253cbc74cf4764d77bc783ff710bd8004076516f4a9ea63e
Opcode Fuzzy Hash: 8aba1a74d01f67e010c833d2e67b8cce00bd195384724ddc4143c2b03414f34b
Instruction Fuzzy Hash: 4711C4B52063949FE7248F14DC48FD27FFCEB44B11F108569B616DA191D778E904DB50

Function 007BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007BACD3,?,00008000), ref: 007BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007BACD3,?,00008000), ref: 007BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007BACD3,?,00008000), ref: 007BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007BACD3,?,00008000), ref: 007BB126

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 228b5c7f937f6ad0bd64994e711de37aa4092c53c42180658e80768b64c69630
Instruction ID: b9b9359bb699204f0d0b259ebee37733020e09bcf39fc6c257e8eb8eb979154a
Opcode Fuzzy Hash: 228b5c7f937f6ad0bd64994e711de37aa4092c53c42180658e80768b64c69630
Instruction Fuzzy Hash: E9113971C0152CE7CF00AFE8E9997EEBB78FF0A711F108085D941B6281CBB89A518B55

Function 007E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007E7E33
ScreenToClient.USER32(?,?), ref: 007E7E4B
ScreenToClient.USER32(?,?), ref: 007E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007E7E8A

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3850e9ec2556d876a05dfc2ec1f9273291cf0f29d835fcaee58f020824a7e87c
Instruction ID: eba8346dbe030991613879b895f02d8f86509ba3c0d4041190175298c83b0400
Opcode Fuzzy Hash: 3850e9ec2556d876a05dfc2ec1f9273291cf0f29d835fcaee58f020824a7e87c
Instruction Fuzzy Hash: 5E1140B9D0024AAFDB41CF99D884AEEBBF9FB08310F509066E915E2210D735AA55CF94

Function 007B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 007B2DD6
GetCurrentThreadId.KERNEL32 ref: 007B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007B2DE4

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8a234944c15fbca3f93f361cb054f9a4241fc914c43867832da1dffe5fa96fa9
Instruction ID: a438215095233ff2f4b785289053e41815253182fdd4458784ddf52ceec93580
Opcode Fuzzy Hash: 8a234944c15fbca3f93f361cb054f9a4241fc914c43867832da1dffe5fa96fa9
Instruction Fuzzy Hash: 6EE09276203224BBDB211B729C4EFEB3E6CEF4ABA1F004019F105D90819AA8C842C6B1

Function 007E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00769639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00769693
Part of subcall function 00769639: SelectObject.GDI32(?,00000000), ref: 007696A2
Part of subcall function 00769639: BeginPath.GDI32(?), ref: 007696B9
Part of subcall function 00769639: SelectObject.GDI32(?,00000000), ref: 007696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007E8887
LineTo.GDI32(?,?,?), ref: 007E8894
EndPath.GDI32(?), ref: 007E88A4
StrokePath.GDI32(?), ref: 007E88B2

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3d5b03664b9227e9e166623c39043667742bfa31c6e2eb44a2e681faa712b053
Instruction ID: 797f169b992f85602dce246ed5cfc2b27000999485619fdad8d153f50aeb52aa
Opcode Fuzzy Hash: 3d5b03664b9227e9e166623c39043667742bfa31c6e2eb44a2e681faa712b053
Instruction Fuzzy Hash: CAF03A3A042298FADF135F94AC0DFCA3E59AF1A310F54C000FE11691E1C7795552CBA9

Function 007698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007698CC
SetTextColor.GDI32(?,?), ref: 007698D6
SetBkMode.GDI32(?,00000001), ref: 007698E9
GetStockObject.GDI32(00000005), ref: 007698F1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: cdc92a3bddf1dfbd704da66018ada402c1984a97e6d5009a4924ecc9698ff08a
Instruction ID: cdeb25898eb65d4372e9340dd6f7c20c294e9179824731d3b85fbdd77ef34bc4
Opcode Fuzzy Hash: cdc92a3bddf1dfbd704da66018ada402c1984a97e6d5009a4924ecc9698ff08a
Instruction Fuzzy Hash: 1AE06D362456C4AADB225B78EC49BE83F20EB5A336F14C319F6FA580E1C3794651DB10

Function 007B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007B11D9), ref: 007B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007B11D9), ref: 007B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007B11D9), ref: 007B164F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c5e7ef7617cbab1936c03254ba50f1288c03a824c28203d590132ab6b5d551d3
Instruction ID: 2622ca08a41eca0eece854f42e76839fe9f4c08b32e677e5e5a97394caf2f664
Opcode Fuzzy Hash: c5e7ef7617cbab1936c03254ba50f1288c03a824c28203d590132ab6b5d551d3
Instruction Fuzzy Hash: A8E08635603211DBD7201FA49E5DB863B7CAF48795F14C808F745CD080DB3C4442C759

Function 007AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007AD858
GetDC.USER32(00000000), ref: 007AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007AD882
ReleaseDC.USER32(?), ref: 007AD8A3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4de6f80707b73d59595e57906409b3fd6e9dd4f80722cff8f8f0d58f27eec8f3
Instruction ID: d3d32d2ee03e3ddcfaeb04a851c6c42d8a24405112bd63988123adbaafe3b160
Opcode Fuzzy Hash: 4de6f80707b73d59595e57906409b3fd6e9dd4f80722cff8f8f0d58f27eec8f3
Instruction Fuzzy Hash: 1DE0E5B9801204DFCF529FA4984866EBBB1AB48311B148409E816AB250CB3C8942AF44

Function 007AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007AD86C
GetDC.USER32(00000000), ref: 007AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007AD882
ReleaseDC.USER32(?), ref: 007AD8A3

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5bf15fbc881fbd8863a84dd6291b2faa6af60d57df70b02f220101e6f3d6b227
Instruction ID: e90675a55093e5c6a8c0bfeaa9d0d5ff7c19cd767f2d778d02f6260042e76acb
Opcode Fuzzy Hash: 5bf15fbc881fbd8863a84dd6291b2faa6af60d57df70b02f220101e6f3d6b227
Instruction Fuzzy Hash: 8AE01A79C01200DFCF529FA4DC4C66EBBB1BB4C311B148408E916EB250CB3C59029F44

Function 007C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00757620: _wcslen.LIBCMT ref: 00757625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 007C4ED4

Strings

LPT, xrefs: 007C4DFB
*, xrefs: 007C4E10

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dc474b8c1a67a1aa88ec0d1980d94e1a2e06a27ef84cbdef8a9e0a642950ec34
Instruction ID: 21da90be29fa46b3643f88cc7afb32a3637c6bc422517655db68bf45dc4d10ce
Opcode Fuzzy Hash: dc474b8c1a67a1aa88ec0d1980d94e1a2e06a27ef84cbdef8a9e0a642950ec34
Instruction Fuzzy Hash: AB914B75A00204DFDB14DF58C494FAABBF1AF48304F19809DE84A9B3A2D779ED85CB91

Function 0077E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0077E30D

Strings

pow, xrefs: 0077E2E5, 0077E302

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f1cbf98158d490c9df8b8515d335f77f6257d5b7704ae603e57f6e8bfbecd5bf
Instruction ID: 7d67b100f5060baf2ddb962210142406cad946b3a7a5d38af655e86f14c19e10
Opcode Fuzzy Hash: f1cbf98158d490c9df8b8515d335f77f6257d5b7704ae603e57f6e8bfbecd5bf
Instruction Fuzzy Hash: 71512661A5C60296CF197714C94537A3BA4AB44780F34CDD8E09B872AAEB3DCC92DB46

Function 0076E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0076E1B1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4f2498175a64384334aecacff2cd258726c2cf38f3419f930a2898028167ebe2
Instruction ID: e246e4092a182ab39d7ccf4c7dcebc9d65e8542879bb8eecbe7930ea49ab58ce
Opcode Fuzzy Hash: 4f2498175a64384334aecacff2cd258726c2cf38f3419f930a2898028167ebe2
Instruction Fuzzy Hash: C2516239900246DFDB18DF28C0956FA7BA5FF96310F248115FC929B2C0DA3C9D42CBA0

Function 0076F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0076F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0076F2BB

Strings

@, xrefs: 0076F2AF

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cd53c769c1e912b661dc038548b4ffa995664acdff0ae3e733150d7c75136905
Instruction ID: 820e3fd745187ada67fda05a22d1d798d36426ba3050d98a122a7a4f8ddf2ce5
Opcode Fuzzy Hash: cd53c769c1e912b661dc038548b4ffa995664acdff0ae3e733150d7c75136905
Instruction Fuzzy Hash: 58512772418744DBD320AF10EC8ABAFBBF8FB84311F81885DF5D941195EB748929CB66

Function 007D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007D57E0
_wcslen.LIBCMT ref: 007D57EC

Strings

CALLARGARRAY, xrefs: 007D57E6, 007D57EB

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 721e512fe517520c48293e9ffd33a8ea3b4d27961091ca0e0a2ff5dee11caf12
Instruction ID: f0f11b24edb8fa458f62dae11c9138931b98a3311cb58d27ff48af19a361760d
Opcode Fuzzy Hash: 721e512fe517520c48293e9ffd33a8ea3b4d27961091ca0e0a2ff5dee11caf12
Instruction Fuzzy Hash: 7B418E31A00209DFCB14DFA9C8859EEBBB5FF59324F14406AE506A7351E7789D81DBA0

Function 007CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007CD13A

Strings

|, xrefs: 007CD10B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b5d52c385f56f68816ab60120dc28734ff0cec711fe4d89782eff28178faeec6
Instruction ID: de6548b773d104df441f8043ecb41318aa968cdcb7c8f37b2f7a012b8a3415c6
Opcode Fuzzy Hash: b5d52c385f56f68816ab60120dc28734ff0cec711fe4d89782eff28178faeec6
Instruction Fuzzy Hash: 2531F871D01209EBCF15EFA4CC89AEEBBB9FF04340F004029F915A6162E679AA46CB50

Function 007E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007E365C

Strings

static, xrefs: 007E35BC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 650581c0f36d39a931953006df842df6cb879c33a7361ee397048a998f478154
Instruction ID: 26274053fe8e755ac5e679f2ae983070804507574e18ce4dff09c591849dcc4d
Opcode Fuzzy Hash: 650581c0f36d39a931953006df842df6cb879c33a7361ee397048a998f478154
Instruction Fuzzy Hash: 73319E71101244AEDB109F39DC85EFB73A9FF88724F109619F8A597280DA39AD91D760

Function 007E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007E4634

Strings

', xrefs: 007E458E

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b7ae364b430f170d2a7a3861a235159bab4c96c5f9ae7a68d26e0eb3aa41c677
Instruction ID: d286979c0ef09698f229ef54cc336596c144aacfe3fccaf8c2cdf14335fab01b
Opcode Fuzzy Hash: b7ae364b430f170d2a7a3861a235159bab4c96c5f9ae7a68d26e0eb3aa41c677
Instruction Fuzzy Hash: F2313974A023499FDF14CFAAC980BDABBB5FF09300F10406AE904AB381D774A951CF90

Function 007E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007E3287

Strings

Combobox, xrefs: 007E3249

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8e7e5fa04db6c67ef92a9b952793d637349b7829a5c7b8816089cae24b895b35
Instruction ID: 32500e837b170846f8785c57de8a81fc462644de046363392ca6c42b53992f67
Opcode Fuzzy Hash: 8e7e5fa04db6c67ef92a9b952793d637349b7829a5c7b8816089cae24b895b35
Instruction Fuzzy Hash: 4211B271301248BFEF219E59DC88EBB37AEFB98364F104128FA58DB290D6799D518760

Function 007E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0075600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0075604C
Part of subcall function 0075600E: GetStockObject.GDI32(00000011), ref: 00756060
Part of subcall function 0075600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0075606A

GetWindowRect.USER32(00000000,?), ref: 007E377A
GetSysColor.USER32(00000012), ref: 007E3794

Strings

static, xrefs: 007E3757

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4c0ac139d8cc93bad3393e97ddf762d630722de54a6a968a0318d465f28fe99a
Instruction ID: 98ed50f043d822e8d279e3f539118ce499837e49c7c1656fe22e5a01730c5fdd
Opcode Fuzzy Hash: 4c0ac139d8cc93bad3393e97ddf762d630722de54a6a968a0318d465f28fe99a
Instruction Fuzzy Hash: 4D1129B2611249AFDF11DFA8CC89EEA7BB8FB08314F004524F955E3250D779E9619B50

Function 007CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007CCDA6

Strings

<local>, xrefs: 007CCD66

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4103bcf1997f7882cbde8f14994c48a92b2cf71fec0dfdcb6214ae955fc86fbe
Instruction ID: 23e1953d7e3be197cddd90ba07427609209d7219e5bdb366be862c77ca1a2ed9
Opcode Fuzzy Hash: 4103bcf1997f7882cbde8f14994c48a92b2cf71fec0dfdcb6214ae955fc86fbe
Instruction Fuzzy Hash: 8711A375705632BAD7264A669C85FE7BF6CEF127A4F00422EF10E86180D7789841D6F0

Function 007E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007E34BA

Strings

edit, xrefs: 007E348F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4ac4e9395e137377484911d4e73ef2336febd5124a6990e6a157605b0ba66a91
Instruction ID: 9e92c36429dcf6c189d10ee73277f0b6db85970fb761135cb0e4ca9e390bb650
Opcode Fuzzy Hash: 4ac4e9395e137377484911d4e73ef2336febd5124a6990e6a157605b0ba66a91
Instruction Fuzzy Hash: 7511BF71102188ABEB124E65DC88AFB376AEB0A374F504324F964971D0C779DD519B50

Function 007B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

CharUpperBuffW.USER32(?,?,?), ref: 007B6CB6
_wcslen.LIBCMT ref: 007B6CC2

Strings

STOP, xrefs: 007B6CBC, 007B6CC1

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e666aa4ad6f1db5e75e93c50fc103bade61f3ee9f681efa6206b932481ab1e54
Instruction ID: 1dbfdd421cd27c1f444ab198ce901fde13b2391bdd9376f7b71d4e2cf52172e9
Opcode Fuzzy Hash: e666aa4ad6f1db5e75e93c50fc103bade61f3ee9f681efa6206b932481ab1e54
Instruction Fuzzy Hash: 54010432600526CBCB20AFBDCC95AFF77A5EB607107000924EA5296190EB3DEC04C660

Function 007B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007B1D4C

Strings

ComboBox, xrefs: 007B1CEB
ListBox, xrefs: 007B1D16

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8af9a872a534002ab637ff8d672b54840a216c13d00c1077078064db639bcf85
Instruction ID: 087d4d996a562a0dfe9d6360dc1ad0dfabbf643d4d5fdd74bdfcef30e3271351
Opcode Fuzzy Hash: 8af9a872a534002ab637ff8d672b54840a216c13d00c1077078064db639bcf85
Instruction Fuzzy Hash: 0401D875701214EB8B04EBA4CC65EFE7769FF46350B940919FC32A73C1EA78590C8670

Function 007B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 007B1C46

Strings

ComboBox, xrefs: 007B1BE5
ListBox, xrefs: 007B1C10

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 443254fc394b1a72126ab426d5f4bf4c6ed40feb09075b5fa5bb9083c4f40621
Instruction ID: 9b844608274c852aefaf9098f67f812af42b379559be227374a6fa245184e170
Opcode Fuzzy Hash: 443254fc394b1a72126ab426d5f4bf4c6ed40feb09075b5fa5bb9083c4f40621
Instruction Fuzzy Hash: 0101A775681104E6DB04EBA0C966BFF7BA8DF55340F940419E916772C2EA6C9E0C86B1

Function 007B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 007B1CC8

Strings

ComboBox, xrefs: 007B1C69
ListBox, xrefs: 007B1C94

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0aa2ab8f5c758b3111b31dc72af83262ea1943279f08f872ba4a6f14ea2461e2
Instruction ID: bf39526d2e9ece4ff83296f4c9cda3b2754515c5e3f5d127a29b6c3ca6c20363
Opcode Fuzzy Hash: 0aa2ab8f5c758b3111b31dc72af83262ea1943279f08f872ba4a6f14ea2461e2
Instruction Fuzzy Hash: 4C01A275681118E6DB04EBA4CA15BFE7BACAB11340BA40415BD12B3282EA689F08C671

Function 007B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759CB3: _wcslen.LIBCMT ref: 00759CBD

Part of subcall function 007B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 007B1DD3

Strings

ComboBox, xrefs: 007B1D75
ListBox, xrefs: 007B1DA0

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9c0877dbd537e3175078d54a22029db18ecbeea5811c2a5915102fb225c5ab7b
Instruction ID: 54689f6c6c1d6871dc24d4cef7979dea25cb7dabcfed8d1c57bf385af5503c6c
Opcode Fuzzy Hash: 9c0877dbd537e3175078d54a22029db18ecbeea5811c2a5915102fb225c5ab7b
Instruction Fuzzy Hash: 4DF08175B41214E6DB04A7A4CC66BFE7768AB01350F940D19F922A72C2DAA8690C8270

Function 0076FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00770668

Part of subcall function 007732A4: RaiseException.KERNEL32(?,?,?,0077068A,?,00821444,?,?,?,?,?,?,0077068A,00751129,00818738,00751129), ref: 00773304

__CxxThrowException@8.LIBVCRUNTIME ref: 00770685

Strings

Unknown exception, xrefs: 00770692

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1034e7b0adfeb969adde27f90b1157bf39014d01041db2ed4cf9ef01ba59ab14
Instruction ID: bad2af6268aa2df2e83c192a93fef7aae4c7bc5ee3d28e192d9de49c3cb60e3c
Opcode Fuzzy Hash: 1034e7b0adfeb969adde27f90b1157bf39014d01041db2ed4cf9ef01ba59ab14
Instruction Fuzzy Hash: FBF0A424A00209E78F04B664E86ADAE776C6E40390B60C571FC2CD5592EF79EA6585C0

Function 007D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D7493
_wcslen.LIBCMT ref: 007D74B9

Strings

3, 3, 16, 1, xrefs: 007D7483

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0acc0645e3a60164f6c249c24abdbff19bf3c1e96eb89ca98668956b55e9f087
Instruction ID: 90cca1c9d3ca3126148630ab90b4e4a713df3d2e4aa770293577803ff0972e87
Opcode Fuzzy Hash: 0acc0645e3a60164f6c249c24abdbff19bf3c1e96eb89ca98668956b55e9f087
Instruction Fuzzy Hash: A4E02B0220426061923612799CC597F5A9DDFC5790710182BFA89C2366FB9C9D91D3A1

Function 007B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007B0B23

Strings

AutoIt, xrefs: 007B0B17
Error allocating memory., xrefs: 007B0B1C

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: dc6f61d4073d296c142b9748d3472b543c4752f6f3fa64e11b6985010103dec5
Instruction ID: 8b2c9ac4ca5bf8f7d1ae75e6e256974851bcbd9bd596f7d5389c4bf9258af29c
Opcode Fuzzy Hash: dc6f61d4073d296c142b9748d3472b543c4752f6f3fa64e11b6985010103dec5
Instruction Fuzzy Hash: DFE0D835385348A6D21536557C07FC97E889F09B65F10446AFF58955C38BEA289006E9

Function 00770D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0076F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00770D71,?,?,?,0075100A), ref: 0076F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0075100A), ref: 00770D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0075100A), ref: 00770D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00770D7F

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: be4e03f6d13745dc0d5769bb81b45f4bf888cd4fbf46fc427855d080d41da9e4
Instruction ID: f61ee4320f0fe0578ed6350f8fd24ec2131335e3cc503f08d13ca42b55b3e10e
Opcode Fuzzy Hash: be4e03f6d13745dc0d5769bb81b45f4bf888cd4fbf46fc427855d080d41da9e4
Instruction Fuzzy Hash: 55E039742013818BD7309FA9E8482527BE4BB18784F00893DE88ACA651DBBCE4458BD1

Function 007C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 007C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 007C3044

Strings

aut, xrefs: 007C3038

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 93018a23b32e09d3a9c333933f9bde7b679e4a3ac5958e88ba3f7c43859ce0bc
Instruction ID: 36bffb5e412449d2c0dc766bf907805cc8884e6a1f333bd76523ff28b0f639da
Opcode Fuzzy Hash: 93018a23b32e09d3a9c333933f9bde7b679e4a3ac5958e88ba3f7c43859ce0bc
Instruction Fuzzy Hash: F4D05B7550132467DA209794AC4DFC73B6CFB04751F0001517755DA091DAB49585CAD4

Function 007AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007AD220

Strings

X64, xrefs: 007AD2A8
%.3d, xrefs: 007AD22B

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 784f4490577c1ef6e115f6ba00ad3d7cc0ed13ad337e4d3359f969a92b56a147
Instruction ID: 5f04b83a7e55da9a7bab34bb518c0378935e8cabac5602b6de67f200accbebf0
Opcode Fuzzy Hash: 784f4490577c1ef6e115f6ba00ad3d7cc0ed13ad337e4d3359f969a92b56a147
Instruction Fuzzy Hash: B1D012A1C09109E9CB6096E0DC49AF9B37CFB49301F508552FD17D1480D62CCD48EB61

Function 007E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007E236C
PostMessageW.USER32(00000000), ref: 007E2373

Part of subcall function 007BE97B: Sleep.KERNEL32 ref: 007BE9F3

Strings

Shell_TrayWnd, xrefs: 007E2365

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 361c673fc5c36b56832a3056c5d445f985f33e9f83833702767ba21ad7309c83
Instruction ID: 0d055fc8acc1df6e26143331149dddb4ac8c372839f261b65f8ec9e5d3d45a27
Opcode Fuzzy Hash: 361c673fc5c36b56832a3056c5d445f985f33e9f83833702767ba21ad7309c83
Instruction Fuzzy Hash: 73D0A93A382340BAE264A3309C4FFC66608AB08B00F008A127241EA2D0C9A8B8428A08

Function 007E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007E233F

Part of subcall function 007BE97B: Sleep.KERNEL32 ref: 007BE9F3

Strings

Shell_TrayWnd, xrefs: 007E2325

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e28b05100c11a45ac2f521cc37d2be4275cf4e483add12e87a877ae60a24b49c
Instruction ID: 90998670f5c0388778b90aed1086acd9ffa4f4088b0cf8b0bb0d13c5a8cd41f6
Opcode Fuzzy Hash: e28b05100c11a45ac2f521cc37d2be4275cf4e483add12e87a877ae60a24b49c
Instruction Fuzzy Hash: 8CD0A93A382340BAE264A3309C4FFC66A08AB04B00F008A127245EA2D0C9A8B8428A08

Function 0078BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0078BE93
GetLastError.KERNEL32 ref: 0078BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0078BEFC

Memory Dump Source

Source File: 00000000.00000002.2110427479.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.2110411353.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110490023.0000000000812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110536499.000000000081C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110553149.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 01d298c303fc10e62dde5c36fde5edc04d4671e1ab7fe03225f028a1acb074dd
Instruction ID: 01d184c86bb250ed789cab7f7c9df020d5cbd90b9163fed5da98d1c57ba47077
Opcode Fuzzy Hash: 01d298c303fc10e62dde5c36fde5edc04d4671e1ab7fe03225f028a1acb074dd
Instruction Fuzzy Hash: 65412B35640206EFCF31AFA4CC84ABA7BA4EF46310F244169FE599B1A1DB388D01CF51

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=W4sg3HhEEqg
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-145264982&timestamp=1727882695313 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=iQ_rgBsCR40IP7ZIsV0eBK9QSSCVb4wm0QaAEm2Mt4eF2Py53p03vuonXnigkAFZxcd7_8Cu2sa3ctGd_CYxqEhvb9eULrNTgzwxa1M1_h6016H5OCJ8xZcw3re3h1KJmogJGnwfHWVazYm-ypPJLl2a5JjhR6HnOR6ETgHzEgIvQ5-5FeY
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CvZ2vnRdKUFwUDn&MD=F7rlYPu7 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CvZ2vnRdKUFwUDn&MD=F7rlYPu7 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Windows Analysis Report
file.exe

Function 007542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00792BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 007BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 007BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 007DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00752CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0079065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre