Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524374
MD5:	6695b4f09fe9d39c9be1fd74e89ecc19
SHA1:	20621918295bb2f7da03bcc9d80e0ff23a35fabc
SHA256:	6a06f869eb3cb873f69ff529c2c58d39461c529cbfaa779a2b73d600d5900daf
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3468 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6695B4F09FE9D39C9BE1FD74E89ECC19)

taskkill.exe (PID: 7068 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 3768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2784 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6536 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3468	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 518sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_89.6.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_89.6.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_87.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_89.6.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_89.6.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_87.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_87.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_87.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_87.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_89.6.dr	String found in binary or memory: https://www.google.com
Source: chromecache_89.6.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_87.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_89.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2099380343.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: file.exe, 00000000.00000002.2129878455.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwddll
Source: chromecache_89.6.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49757 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0059EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0059ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0059EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0058AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005B9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e8368bbd-b
Source: file.exe, 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d0aa0fd1-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_17678812-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_739842fc-8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0058D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00581201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00581201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0058E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052BF40	0_2_0052BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00592046	0_2_00592046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00528060	0_2_00528060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00588298	0_2_00588298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055E4FF	0_2_0055E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055676B	0_2_0055676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B4873	0_2_005B4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052CAF0	0_2_0052CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054CAA0	0_2_0054CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CC39	0_2_0053CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00556DD9	0_2_00556DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053B119	0_2_0053B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005291C0	0_2_005291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00541394	0_2_00541394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054781B	0_2_0054781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053997D	0_2_0053997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00527920	0_2_00527920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547A4A	0_2_00547A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547CA7	0_2_00547CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ABE44	0_2_005ABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00559EEE	0_2_00559EEE

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00529CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00540A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0053F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@40/30@12/10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005937B5 GetLastError,FormatMessageW,

0_2_005937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005810BF AdjustTokenPrivileges,CloseHandle,		0_2_005810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005AA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0059648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005242A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00540A76 push ecx; ret

0_2_00540A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0053F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005B1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96003

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\file.exe TID: 4412	Thread sleep count: 56 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4412	Thread sleep count: 66 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055C2A2 FindFirstFileExW,	0_2_0055C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005968EE FindFirstFileW,FindClose,	0_2_005968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0059698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00599642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00599642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00599B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00599B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00595C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00595C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-95316

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0059EAA2 BlockInput,

0_2_0059EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00552622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00552622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00544CE8 mov eax, dword ptr fs:[00000030h]

0_2_00544CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00580B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00580B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00552622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00552622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0054083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005409D5 SetUnhandledExceptionFilter,	0_2_005409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00540C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00540C21

Source: C:\Users\user\Desktop\file.exe

0_2_00581201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00562BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00562BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058B226 SendInput,keybd_event,

0_2_0058B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005A22DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00580B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00581663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00581663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00540698 cpuid

0_2_00540698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00598195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00598195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057D27A GetUserNameW,

0_2_0057D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0055B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0055B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3468, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3468, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_005A1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	11%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	unknown
www3.l.google.com	216.58.206.78	true	false	unknown
play.google.com	172.217.18.110	true	false	unknown
www.google.com	142.250.184.228	true	false	unknown
youtube.com	142.250.181.238	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_89.6.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_89.6.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_87.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_89.6.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_87.6.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_89.6.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_89.6.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_89.6.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_89.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.238	youtube.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false
172.217.18.110	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
192.168.2.13
192.168.2.23
192.168.2.14

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524374
Start date and time:	2024-10-02 18:21:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@40/30@12/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 44 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.99, 172.217.18.14, 74.125.206.84, 34.104.35.123, 172.217.18.106, 172.217.18.10, 142.250.186.42, 142.250.74.202, 172.217.23.106, 172.217.16.202, 142.250.186.138, 142.250.185.138, 142.250.185.74, 142.250.185.106, 142.250.186.74, 216.58.206.42, 142.250.186.106, 216.58.206.74, 216.58.212.138, 172.217.16.138, 142.250.185.163, 142.250.186.170, 142.250.181.234, 216.58.212.170, 93.184.221.240, 192.229.221.95, 74.125.133.84, 172.217.23.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://view.flodesk.com/emails/66fd2053af85c99dd55d1461	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	744362
Entropy (8bit):	5.7913337944729175
Encrypted:	false
SSDEEP:	6144:HVXWBQkPdzg5pTX1ROv/duPzd8C3s891/Q:gfd8j91/Q
MD5:	C6E31A4B08FC2DF9191AA47785B3FB31
SHA1:	5094D16F35D927EBE73D715F95E199BB2112BFA6
SHA-256:	67CA532191F69C2FF20D2A015493D6A4AB7ADC9C584A86F1E10E272FD72100E9
SHA-512:	6C6E78717D44F86CA4FBCA84534810D6432913D9D61BC13FE010D03775F6FE5C4705B4D1965641C858DE68DBA7D1B306CE12FF62E4C38995C1EE3EA0541F9565
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlHMmP29tNFN_V7bhU8rapgP9PTgBw/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e1fc40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698791
Entropy (8bit):	5.595243292922648
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XIQqS7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842IQqHJ09
MD5:	7A4AEFC2F596D19F522738DB34C5A680
SHA1:	7F6E9BE8B3C1450075365A31FF6E4B49F1D35BA7
SHA-256:	61D7FF7565945545C0D823CCFC5DB5D09C8714FBF8AD77994F389F08289124B2
SHA-512:	7D80188B002DB3ED7360B9B236DE435F2008345ECEC00FDE39412BE39DE5C08FD80CBD2D7370D0DBB98F4BCCA0CEF147AD9E7935AC2894DB55D81C1B32EB647E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4067
Entropy (8bit):	5.363457972758152
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9cLw:bCMZXVeR6jiosVrqtyzBaImyAKw9z
MD5:	B027BF10F968F37628EB698B2CF46D8E
SHA1:	0C9801E4FF3BE18102E6E22246B4262FCC6CE011
SHA-256:	98608C8414932B6F029948A323B1236EFB96861306FD1EDEB6CE47E180392B47
SHA-512:	3B1E5A3B247273F025EACF389F98BC139F8453ECEC7A2EC762A4E3279F220B7BED2CB23CD5630E92ED03187C514956DF814E9450FFAA10BFE312633B445DBEF1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFteMt5kl2HRMM5sgqzMrw2LMDjOg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.58246531777093
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	6695b4f09fe9d39c9be1fd74e89ecc19
SHA1:	20621918295bb2f7da03bcc9d80e0ff23a35fabc
SHA256:	6a06f869eb3cb873f69ff529c2c58d39461c529cbfaa779a2b73d600d5900daf
SHA512:	cf446b7dbb673481675ea192fc87ebb49b00dba9e65cc12a039f0489b2d6a425fc36717ef929b8ff3eef5aa6e6179479064b84b704ec89cd548afd8bacae9212
SSDEEP:	12288:5qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgatTP:5qDEvCTbMWu7rQYlBQcBiT6rprG8apP
TLSH:	72159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD6C6C [Wed Oct 2 15:53:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5908630363h
jmp 00007F590862FC6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F590862FE4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F590862FE1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5908632A0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5908632A58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5908632A41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9958	0x9a00	6cca709c24274a11716e34ce06145b6a	False	0.30420556006493504	data	5.278355328625398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc20	data			1.0035438144329898
RT_GROUP_ICON	0xdd3d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd450	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd464	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd478	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd48c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd568	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:22:13.698535919 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:13.698535919 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:14.026611090 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:19.949489117 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:19.949553967 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:19.949615002 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:19.950594902 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:19.950609922 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.588692904 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.588851929 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.588860989 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.589215994 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.589282990 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.589862108 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.589917898 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.591202974 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.591260910 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.591590881 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.591598988 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.638758898 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.893904924 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.895302057 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.895690918 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.897267103 CEST	49699	443	192.168.2.6	142.250.181.238
Oct 2, 2024 18:22:20.897284031 CEST	443	49699	142.250.181.238	192.168.2.6
Oct 2, 2024 18:22:20.907830000 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:20.907857895 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:20.908056974 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:20.908344030 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:20.908356905 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.566262007 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.567053080 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.567069054 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.567419052 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.567560911 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.568049908 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.568129063 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.569438934 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.569438934 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.569446087 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.569483995 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.619071007 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.619083881 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.667629957 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.891791105 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.891808987 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.891901970 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.891916037 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.891971111 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:21.892018080 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.894936085 CEST	49705	443	192.168.2.6	142.250.185.174
Oct 2, 2024 18:22:21.894953012 CEST	443	49705	142.250.185.174	192.168.2.6
Oct 2, 2024 18:22:23.306591988 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:23.306591988 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:23.634639025 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:24.238629103 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.238676071 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.238897085 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.238897085 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.238941908 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.454282999 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:24.454320908 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:24.454400063 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:24.456316948 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:24.456331015 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:24.896425009 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.896703005 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.896734953 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.897783041 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.897845030 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.898960114 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.899065018 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.947025061 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:24.947060108 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:24.993916988 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:25.104700089 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.104773998 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.108688116 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.108696938 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.109433889 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.150162935 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.183285952 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.227400064 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.313709974 CEST	443	49698	173.222.162.64	192.168.2.6
Oct 2, 2024 18:22:25.313803911 CEST	49698	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:22:25.376317978 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.376394033 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.376436949 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.376657963 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.376671076 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.376687050 CEST	49712	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.376692057 CEST	443	49712	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.466447115 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.466485023 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:25.466541052 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.467442036 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:25.467451096 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.140883923 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.141153097 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.173731089 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.173752069 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.174117088 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.175420046 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.219402075 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.416783094 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.416857958 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.421701908 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.588534117 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.588565111 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:26.588592052 CEST	49717	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:22:26.588599920 CEST	443	49717	184.28.90.27	192.168.2.6
Oct 2, 2024 18:22:29.429735899 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:29.429795980 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:29.429989100 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:29.430314064 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:29.430330992 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.061398029 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.061655998 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.061682940 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.062222004 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.062278032 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.063241005 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.063302040 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.064436913 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.064517021 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.064603090 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.108597994 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.108630896 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.155729055 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.375617981 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.375648022 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:30.375705957 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.375901937 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.375911951 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:30.410933018 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.410979033 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.411040068 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.411048889 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.411067009 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.411108017 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.415648937 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.415699959 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.422204018 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.422259092 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.422278881 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.422290087 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.422312021 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.428318977 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.429076910 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.429085970 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.432420015 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.432447910 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.432471991 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.432477951 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.432533026 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.438401937 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.438426018 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:30.438508987 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.438843966 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:30.438853979 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:30.497751951 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.497807026 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.497941017 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.497955084 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.498008966 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.499087095 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.499140978 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.505548000 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.505621910 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.505650043 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.505702019 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.511833906 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.511895895 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.520416975 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.520473957 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.521413088 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.525700092 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.529927015 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.529936075 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.531898022 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.531953096 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.531960011 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.532182932 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:30.532218933 CEST	443	49731	216.58.206.78	192.168.2.6
Oct 2, 2024 18:22:30.532259941 CEST	49731	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:22:31.246467113 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.250432014 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.291459084 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.293051004 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.305337906 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.305360079 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.305434942 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.305448055 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.306202888 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.306267023 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.306705952 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.306772947 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.307228088 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.307275057 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.309206963 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.309257984 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.437951088 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.438034058 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.438368082 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.438412905 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.439665079 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.439683914 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.439980030 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.439996958 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.482151985 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.482165098 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.650233984 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.650422096 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.650487900 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.650639057 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.650657892 CEST	443	49735	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.650667906 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.650702000 CEST	49735	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.651837111 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.651874065 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.651926041 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.652276039 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.652287006 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.654043913 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.654350042 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.654397964 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.654469967 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.654488087 CEST	443	49734	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.654501915 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.654531956 CEST	49734	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.655078888 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.655114889 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:31.655169010 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.655443907 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:31.655462027 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.292793989 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.293158054 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.293183088 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.293638945 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.293710947 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.294346094 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.294482946 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.294676065 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.294775963 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.294936895 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.294950962 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.294974089 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.298491955 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.298990011 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.299009085 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.300342083 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.300422907 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.301624060 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.301686049 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.301906109 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.301983118 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.302086115 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.302118063 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.302126884 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.338960886 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.338975906 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.354573965 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.511653900 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.512890100 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.512959957 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.513988018 CEST	49741	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.514019012 CEST	443	49741	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.527906895 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.529083967 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.529156923 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.530174017 CEST	49740	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:32.530189037 CEST	443	49740	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:32.952187061 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:32.999413967 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224534035 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224586010 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224626064 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224651098 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224766970 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:33.224795103 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:33.224850893 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:33.226867914 CEST	49711	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:22:33.226891994 CEST	443	49711	142.250.184.228	192.168.2.6
Oct 2, 2024 18:22:34.303323984 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:34.303364992 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:34.303445101 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:34.304570913 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:34.304585934 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:35.604157925 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:35.604290962 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:35.606332064 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:35.606343985 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:35.606584072 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:35.651336908 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:36.465415955 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:36.507410049 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097212076 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097234964 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097243071 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097254992 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097290039 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097309113 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.097331047 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097343922 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.097388029 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.097487926 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.097539902 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.097548008 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.098258972 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.098323107 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.815764904 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.815798044 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:37.815812111 CEST	49747	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:22:37.815818071 CEST	443	49747	20.114.59.183	192.168.2.6
Oct 2, 2024 18:22:38.497706890 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:38.497731924 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:38.497982979 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:38.498358965 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:38.498373032 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.126595020 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.126913071 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.126940966 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.127269030 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.127620935 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.127686024 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.127829075 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.127856016 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.127861023 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.454559088 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.455588102 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:22:39.455647945 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.456629038 CEST	49753	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:22:39.456653118 CEST	443	49753	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:00.685596943 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.685656071 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:00.685735941 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.686032057 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.686048985 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:00.687362909 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.687419891 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:00.687479973 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.687706947 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:00.687716961 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.325175047 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.325447083 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.325464964 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.325963974 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.326237917 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.326301098 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.326391935 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.326440096 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.326445103 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.330272913 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.330487013 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.330513000 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.331149101 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.331399918 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.331464052 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.331567049 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.331605911 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.331619978 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.626987934 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.627813101 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.627996922 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.628035069 CEST	49754	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.628051043 CEST	443	49754	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.731484890 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.731532097 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:01.731640100 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.731897116 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:01.731905937 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.402355909 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.402957916 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.402971029 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.403287888 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.403640985 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.403683901 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.403928041 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.403944969 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.403949022 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.620558977 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.620738029 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:02.620908022 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.621248960 CEST	49756	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:02.621260881 CEST	443	49756	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:03.981842995 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:03.981952906 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:03.982007027 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:03.982773066 CEST	49755	443	192.168.2.6	172.217.18.110
Oct 2, 2024 18:23:03.982786894 CEST	443	49755	172.217.18.110	192.168.2.6
Oct 2, 2024 18:23:14.276968956 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:14.277015924 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:14.277139902 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:14.277662039 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:14.277674913 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.053504944 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.053702116 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.063230038 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.063275099 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.063756943 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.103478909 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.103986979 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.147417068 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387058020 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387096882 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387106895 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387125015 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387162924 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387236118 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.387253046 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387316942 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.387340069 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.387801886 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387840986 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387871981 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.387880087 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387903929 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.387907982 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.387954950 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.391501904 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.391530037 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:15.391544104 CEST	49757	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:23:15.391550064 CEST	443	49757	20.114.59.183	192.168.2.6
Oct 2, 2024 18:23:24.282174110 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:24.282221079 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:24.282296896 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:24.282529116 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:24.282543898 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:24.974391937 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:24.975122929 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:24.975169897 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:24.975466967 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:24.975774050 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:24.975838900 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:25.025242090 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:31.231367111 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:31.231417894 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:31.231497049 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:31.231688023 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:31.231703043 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.108753920 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.110603094 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.110635042 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.111004114 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.111351013 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.111428976 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.111517906 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.111535072 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.111547947 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.328784943 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.329458952 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:32.329579115 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.330034971 CEST	49760	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:32.330053091 CEST	443	49760	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:33.763446093 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:33.763497114 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:33.763708115 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:33.767460108 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:33.767479897 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.401551962 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.405400038 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.405424118 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.405759096 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.412484884 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.412539005 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.416094065 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.416115999 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.416121006 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.732630014 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.734431028 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.734505892 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.734621048 CEST	49762	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:23:34.734632969 CEST	443	49762	216.58.206.78	192.168.2.6
Oct 2, 2024 18:23:34.853408098 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:34.853467941 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:23:34.853636980 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:48.140551090 CEST	49759	443	192.168.2.6	142.250.184.228
Oct 2, 2024 18:23:48.140594006 CEST	443	49759	142.250.184.228	192.168.2.6
Oct 2, 2024 18:24:03.627870083 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.627963066 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:03.628060102 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.630044937 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.630081892 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:03.858216047 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.858241081 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:03.858314037 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.858583927 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:03.858591080 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.260653973 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.261167049 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.261229992 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.261770964 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.262059927 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.262146950 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.262219906 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.262257099 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.262269020 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.492510080 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.492969036 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.492984056 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.493504047 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.493818998 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.493901014 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.494000912 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.494060040 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.494066000 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.561606884 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.564029932 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.564085007 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.564213037 CEST	49764	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.564225912 CEST	443	49764	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.792844057 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.793417931 CEST	443	49765	216.58.206.78	192.168.2.6
Oct 2, 2024 18:24:04.793483019 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.793814898 CEST	49765	443	192.168.2.6	216.58.206.78
Oct 2, 2024 18:24:04.793828011 CEST	443	49765	216.58.206.78	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:22:19.930222034 CEST	52549	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:19.930413008 CEST	50920	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:19.938134909 CEST	53	50056	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:19.938204050 CEST	53	52549	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:19.938529968 CEST	53	50920	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:19.951302052 CEST	53	60741	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:20.899168015 CEST	60359	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:20.899564981 CEST	52905	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:20.906644106 CEST	53	60359	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:20.906783104 CEST	53	52905	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:20.954464912 CEST	53	52001	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:24.223083019 CEST	53	58798	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:24.229392052 CEST	61696	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:24.230101109 CEST	50032	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:24.237813950 CEST	53	61696	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:24.237832069 CEST	53	50032	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:26.576288939 CEST	53	57832	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:29.420106888 CEST	58784	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:29.420209885 CEST	57506	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:29.426978111 CEST	53	58784	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:29.427607059 CEST	53	57506	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:30.365206957 CEST	51799	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:30.365365982 CEST	51581	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:22:30.375026941 CEST	53	51799	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:30.375153065 CEST	53	51581	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:37.987365007 CEST	53	50986	1.1.1.1	192.168.2.6
Oct 2, 2024 18:22:56.754354000 CEST	53	52409	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:19.479489088 CEST	53	52925	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:19.520138025 CEST	53	52001	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:31.220417976 CEST	61869	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:23:31.223731041 CEST	59423	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:23:31.228344917 CEST	53	61869	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:31.230909109 CEST	53	59423	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:31.508780003 CEST	53	65194	1.1.1.1	192.168.2.6
Oct 2, 2024 18:23:48.150736094 CEST	53	63129	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 18:22:19.930222034 CEST	192.168.2.6	1.1.1.1	0x7fb0	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:19.930413008 CEST	192.168.2.6	1.1.1.1	0xc0b5	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:22:20.899168015 CEST	192.168.2.6	1.1.1.1	0x7562	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.899564981 CEST	192.168.2.6	1.1.1.1	0x3e2c	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:22:24.229392052 CEST	192.168.2.6	1.1.1.1	0xe664	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:24.230101109 CEST	192.168.2.6	1.1.1.1	0xfb7	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:22:29.420106888 CEST	192.168.2.6	1.1.1.1	0xb765	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:29.420209885 CEST	192.168.2.6	1.1.1.1	0x58a7	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:22:30.365206957 CEST	192.168.2.6	1.1.1.1	0xd2f8	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:30.365365982 CEST	192.168.2.6	1.1.1.1	0x40c6	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:23:31.220417976 CEST	192.168.2.6	1.1.1.1	0xb59	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:23:31.223731041 CEST	192.168.2.6	1.1.1.1	0xea10	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 18:22:19.938204050 CEST	1.1.1.1	192.168.2.6	0x7fb0	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:19.938529968 CEST	1.1.1.1	192.168.2.6	0xc0b5	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906644106 CEST	1.1.1.1	192.168.2.6	0x7562	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906783104 CEST	1.1.1.1	192.168.2.6	0x3e2c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:22:20.906783104 CEST	1.1.1.1	192.168.2.6	0x3e2c	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:22:24.237813950 CEST	1.1.1.1	192.168.2.6	0xe664	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:24.237832069 CEST	1.1.1.1	192.168.2.6	0xfb7	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:22:29.426978111 CEST	1.1.1.1	192.168.2.6	0xb765	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:22:29.426978111 CEST	1.1.1.1	192.168.2.6	0xb765	No error (0)	www3.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:22:29.427607059 CEST	1.1.1.1	192.168.2.6	0x58a7	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:22:30.375026941 CEST	1.1.1.1	192.168.2.6	0xd2f8	No error (0)	play.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:23:31.228344917 CEST	1.1.1.1	192.168.2.6	0xb59	No error (0)	play.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	142.250.181.238	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:20 UTC	839	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:20 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 16:22:20 GMT Date: Wed, 02 Oct 2024 16:22:20 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49705	142.250.185.174	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:21 UTC	857	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:21 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:22:21 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 16:52:21 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=iDvj67umFRs; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=7q9wzz-ieag; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:22:21 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgOA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:22:21 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:25 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:22:25 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=87805 Date: Wed, 02 Oct 2024 16:22:25 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:26 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:22:26 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=87748 Date: Wed, 02 Oct 2024 16:22:26 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 16:22:26 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49731	216.58.206.78	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:30 UTC	1223	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=543619973&timestamp=1727886148823 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:30 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-_PysNMU11bExW4o8KaKPAg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:22:30 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: cross-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1ZBikPj6kkkNiJ3SZ7AGAHHSv_OsBUB8ufsS63UgVu25xGoMxEUSV1gbgFiIh-PYs6_b2QQOnPnUy6ikl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAA_eIuDg" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 5f 50 79 73 4e 4d 55 31 31 62 45 78 57 34 6f 38 4b 61 4b 50 41 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="_PysNMU11bExW4o8KaKPAg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 16:22:30 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49734	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:31 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:31 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:22:31 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49735	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:31 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:31 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:22:31 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49741	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:32 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 518 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:32 UTC	518	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 31 34 39 38 36 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886149866",null,null,null
2024-10-02 16:22:32 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=VSZRfBxAhiXlK1-s8Sz6-N3vAXuGtySPWN3VWcxiXXH56e3qaXhAUd8Dgz8cZoxrHTR3GGgV6ut9wZSmWEzMKPQkncpnrLwiGGpUPBzZwdj3-EQnnxfYU7TkUAQZDIcBuOnQh_DQhZhbyH8_pm-NfvWTsq5232xnknnn46vuYtRQCOu-vac; expires=Thu, 03-Apr-2025 16:22:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:22:32 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:22:32 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:22:32 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:22:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49740	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:32 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 518 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:22:32 UTC	518	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 31 34 39 37 39 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886149792",null,null,null
2024-10-02 16:22:32 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=gxjM_liNSBHx7urukYQZvBbgchk4hE3lpoGI_9HvFvtFNO8kgSCQG7EBfU2QNGcRYiABuixNMEx4jFO2J-OSfEnFqhCKbgn8us8pb2ztvJ9L1PWYJpKewjKFTkRCXr3s3ETEmLZyvgrzKJsRGuAbid-8Pg-XG5GOT_IR9Lh5ikzttpFbhg; expires=Thu, 03-Apr-2025 16:22:32 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:22:32 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:22:32 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:22:32 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:22:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49711	142.250.184.228	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:32 UTC	1201	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=gxjM_liNSBHx7urukYQZvBbgchk4hE3lpoGI_9HvFvtFNO8kgSCQG7EBfU2QNGcRYiABuixNMEx4jFO2J-OSfEnFqhCKbgn8us8pb2ztvJ9L1PWYJpKewjKFTkRCXr3s3ETEmLZyvgrzKJsRGuAbid-8Pg-XG5GOT_IR9Lh5ikzttpFbhg
2024-10-02 16:22:33 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 15:37:10 GMT Expires: Thu, 10 Oct 2024 15:37:10 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 2723 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 16:22:33 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 16:22:33 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-10-02 16:22:33 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 16:22:33 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-10-02 16:22:33 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49747	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:36 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UG1wZ2T6gmUyRvM&MD=UuCePC+o HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:22:37 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: a0af75dd-fcc2-487c-8ba7-bab218721dc5 MS-RequestId: 849e2f2e-073c-46e7-81a9-e757b370ed94 MS-CV: LCxUiNu7xkuD6Ak+.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:22:36 GMT Connection: close Content-Length: 24490
2024-10-02 16:22:37 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 16:22:37 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49753	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:22:39 UTC	1286	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1221 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=gxjM_liNSBHx7urukYQZvBbgchk4hE3lpoGI_9HvFvtFNO8kgSCQG7EBfU2QNGcRYiABuixNMEx4jFO2J-OSfEnFqhCKbgn8us8pb2ztvJ9L1PWYJpKewjKFTkRCXr3s3ETEmLZyvgrzKJsRGuAbid-8Pg-XG5GOT_IR9Lh5ikzttpFbhg
2024-10-02 16:22:39 UTC	1221	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 36 31 34 37 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727886147000",null,null,null,
2024-10-02 16:22:39 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A; expires=Thu, 03-Apr-2025 16:22:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:22:39 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:22:39 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:22:39 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:22:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49754	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:01 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1493 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:23:01 UTC	1493	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 31 38 30 31 31 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886180111",null,null,null
2024-10-02 16:23:01 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:23:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:23:01 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:23:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49755	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:01 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1480 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:23:01 UTC	1480	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 31 38 30 31 31 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886180114",null,null,null
2024-10-02 16:23:03 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:23:03 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:23:03 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:23:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49756	172.217.18.110	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:02 UTC	1276	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 863 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:23:02 UTC	863	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-02 16:23:02 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:23:02 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:23:02 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:23:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49757	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:15 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UG1wZ2T6gmUyRvM&MD=UuCePC+o HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:23:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 6b638586-63bf-4846-a5ac-d724d70698cc MS-RequestId: 2a9138f7-5a62-4be9-ab2e-15d2bb3a27a4 MS-CV: MfgjJ2ESakiGwRsq.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:23:15 GMT Connection: close Content-Length: 30005
2024-10-02 16:23:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 16:23:15 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49760	216.58.206.78	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:32 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1099 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:23:32 UTC	1099	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 32 31 30 36 35 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886210653",null,null,null
2024-10-02 16:23:32 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:23:32 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:23:32 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:23:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49762	216.58.206.78	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:23:34 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1216 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:23:34 UTC	1216	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 32 31 33 31 39 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886213196",null,null,null
2024-10-02 16:23:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:23:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:23:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:23:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49764	216.58.206.78	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:24:04 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1311 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:24:04 UTC	1311	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 32 34 33 30 36 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886243060",null,null,null
2024-10-02 16:24:04 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:24:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:24:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:24:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49765	216.58.206.78	443	2784	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:24:04 UTC	1317	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1455 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=NWW_YxLjDcEuam2o5qbgAMvUqXHXN-bwAHbkkp4_iIogo71DYkwE5LZw637G2JXXl0XJQjf1IdsFyXd9L2ii-DKzQgim0vZmCdOQfiohQcvDbKRvq1ucIM5PLb10Byo9V01_6yOC499VhYigjiwhElEPZtXo1vgtB5ijDLpZDJZqBy2BT-yQRnUX1A
2024-10-02 16:24:04 UTC	1455	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 32 34 33 32 39 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727886243291",null,null,null
2024-10-02 16:24:04 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:24:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:24:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:24:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:22:16
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x520000
File size:	918'528 bytes
MD5 hash:	6695B4F09FE9D39C9BE1FD74E89ECC19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:22:16
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:22:16
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:22:17
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:22:18
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:22:29
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:22:29
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1920,i,15775063943699427180,18124123659380723990,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1629
Total number of Limit Nodes:	54

Executed Functions

Function 005242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0052430D

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

GetCurrentProcess.KERNEL32(?,005BCB64,00000000,?,?), ref: 00524422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00524429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00524454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00524466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00524474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0052447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005244A0

Strings

GetNativeSystemInfo, xrefs: 00524460
kernel32.dll, xrefs: 0052444F
|O, xrefs: 005636F8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8e154fcb1ff7ee2c0bcb183b8ee54448b5862f56fb0a3eb2ce12d5340cc3991e
Instruction ID: 634ed63fd6c5471e90315c75f9be1f648740376b7fbd3a86bef8235f9387a102
Opcode Fuzzy Hash: 8e154fcb1ff7ee2c0bcb183b8ee54448b5862f56fb0a3eb2ce12d5340cc3991e
Instruction Fuzzy Hash: E3A1A26690AAD4DFCB11E76DBC411B97FE4BB36340B184C99D081D3AE6D228460CEF6D

Function 005242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005250AA,?,?,00000000,00000000), ref: 005242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005250AA,?,?,00000000,00000000), ref: 005242C9
LoadResource.KERNEL32(?,00000000,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20), ref: 005635BE
SizeofResource.KERNEL32(?,00000000,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20), ref: 005635D3
LockResource.KERNEL32(005250AA,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20,?), ref: 005635E6

Strings

SCRIPT, xrefs: 005242BF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 984a5ec4e9443c2e1392755e9bd256fd9dfbeb6647bef2bb558f0b30612d8bf4
Instruction ID: cf57b36ddd241ce4f313d1e890833911f8b5d62459f0f1f7c47683d91796638f
Opcode Fuzzy Hash: 984a5ec4e9443c2e1392755e9bd256fd9dfbeb6647bef2bb558f0b30612d8bf4
Instruction Fuzzy Hash: 16115A78200600EFDB218B66EC48F67BFB9FFD6B51F108269B44296290DB71E8049A20

Function 00562BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00522B6B

Part of subcall function 00523A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005F1418,?,00522E7F,?,?,?,00000000), ref: 00523A78

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005E2224), ref: 00562C10
ShellExecuteW.SHELL32(00000000,?,?,005E2224), ref: 00562C17

Strings

runas, xrefs: 00562C0B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 293ea4b7789493e30eca0c38be81010d6f03178df609d574adcd7bdf05789972
Instruction ID: 50afc52c83a98d087688158ab3ad58d41bab04da321c367117db7baa0e6d619e
Opcode Fuzzy Hash: 293ea4b7789493e30eca0c38be81010d6f03178df609d574adcd7bdf05789972
Instruction Fuzzy Hash: 0D11A231108256AACB04FF60F8599BE7FA4BFE6340F44182DF182571E2DF298A09D752

Function 005AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 005AA6BA

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Process32NextW.KERNEL32(00000000,?), ref: 005AA79C
CloseHandle.KERNELBASE(00000000), ref: 005AA7AB

Part of subcall function 0053CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00563303,?), ref: 0053CE8A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 62392b554ac10521f3d2f747bf439ca10d8474d811daf1c667cd36718aee541a
Instruction ID: 0884d86eb73eb2628b7b2bafda021028d55520ef7fe6417f3e489870932fa895
Opcode Fuzzy Hash: 62392b554ac10521f3d2f747bf439ca10d8474d811daf1c667cd36718aee541a
Instruction Fuzzy Hash: 7A511A71508311AFD710DF24D88AA6BBBE8FFCA754F00492DF58597291EB30E904CB92

Function 0058DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00565222), ref: 0058DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0058DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0058DBEE
FindClose.KERNEL32(00000000), ref: 0058DBFA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1542d740702297aa0fd6ed599dac4f2788d7d0ff33f7a2a7183d08b05ed658fc
Instruction ID: 0d100c176026180ae9169d207f860f692a4ec0a39326730937d9c59cf095ce66
Opcode Fuzzy Hash: 1542d740702297aa0fd6ed599dac4f2788d7d0ff33f7a2a7183d08b05ed658fc
Instruction Fuzzy Hash: BDF0A030810910578220BB7CAC0D8AA7FBCAF41334B104702F876E20E0EBB06D58DAA9

Function 00544CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000,?,005528E9), ref: 00544D09
TerminateProcess.KERNEL32(00000000,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000,?,005528E9), ref: 00544D10
ExitProcess.KERNEL32 ref: 00544D22

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d61d3f07d13f31ac19f38e5403948f44730ae360eff9e533d2c0b6c82957f600
Instruction ID: 09101f74300c55828b291a5f21ab734a84c00d91090503c4b86a725d308386d6
Opcode Fuzzy Hash: d61d3f07d13f31ac19f38e5403948f44730ae360eff9e533d2c0b6c82957f600
Instruction Fuzzy Hash: B1E0B631440149ABCF51AF54DD19A983FA9FB91785B504518FC099B122CB35ED46DE84

Function 0052BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#_, xrefs: 005707CE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#_
API String ID: 3964851224-4006447686
Opcode ID: 0cd18dc0a391b9dc223ae7b3530ea1255d2093cadeb63c09c5db0d8c8c3f861b
Instruction ID: 706464093d12163307a1e896a542573f299b05a194d66d98bf5eb139727bc6c1
Opcode Fuzzy Hash: 0cd18dc0a391b9dc223ae7b3530ea1255d2093cadeb63c09c5db0d8c8c3f861b
Instruction Fuzzy Hash: F6A24771608311CFD724CF18D484B2ABFE1BF8A304F14896DE99A9B392D771E845DB92

Function 005AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 005AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005AB1D4
_wcslen.LIBCMT ref: 005AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005AB236
_wcslen.LIBCMT ref: 005AB332

Part of subcall function 005905A7: GetStdHandle.KERNEL32(000000F6), ref: 005905C6

_wcslen.LIBCMT ref: 005AB34B
_wcslen.LIBCMT ref: 005AB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005AB3B6
GetLastError.KERNEL32(00000000), ref: 005AB407
CloseHandle.KERNEL32(?), ref: 005AB439
CloseHandle.KERNEL32(00000000), ref: 005AB44A
CloseHandle.KERNEL32(00000000), ref: 005AB45C
CloseHandle.KERNEL32(00000000), ref: 005AB46E
CloseHandle.KERNEL32(?), ref: 005AB4E3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 12b44d71257231edb8077965fc816bf53cdaf5583fe52b41e61dc019938cb511
Instruction ID: b84e3178c70103e18e0c94d595398b6b6451f032438ed6e33e4ab149dab79991
Opcode Fuzzy Hash: 12b44d71257231edb8077965fc816bf53cdaf5583fe52b41e61dc019938cb511
Instruction Fuzzy Hash: 14F18A316042419FDB14EF24D885B6EBFE5BF8A314F14895DF8859B2A2DB31EC44CB92

Function 0052D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0052D807
timeGetTime.WINMM ref: 0052DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB28
TranslateMessage.USER32(?), ref: 0052DB7B
DispatchMessageW.USER32(?), ref: 0052DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB9F
Sleep.KERNELBASE(0000000A), ref: 0052DBB1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: cdaefbf2d6e4ad66b62698f483bb1ada22cd013b24bf758186d1ecef346d96dd
Instruction ID: 0bbfc8ece7826f931c6011413caaac85cc881b3e3e12e83f22d8ff573ab3d69a
Opcode Fuzzy Hash: cdaefbf2d6e4ad66b62698f483bb1ada22cd013b24bf758186d1ecef346d96dd
Instruction Fuzzy Hash: 6542E170604652DFD729CF24E848BAABFF4BF96300F148A19F459872D1D774E884DBA2

Function 00522CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00522D07
RegisterClassExW.USER32(00000030), ref: 00522D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00522D42
InitCommonControlsEx.COMCTL32(?), ref: 00522D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00522D6F
LoadIconW.USER32(000000A9), ref: 00522D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00522D94

Strings

+, xrefs: 00522CF0
hF, xrefs: 00522D80, 00522D8E
AutoIt v3 GUI, xrefs: 00522D23
TaskbarCreated, xrefs: 00522D37
0, xrefs: 00522CE9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated$hF
API String ID: 2914291525-2605555938
Opcode ID: 27be53318bdbaa4914c7be955449a8919a6111ab3933a76580a60c12e5288d5a
Instruction ID: 20fb9f7c750fe6cbf190dcaa84e2b3bb68d4fae14c14c2740285eca30142741a
Opcode Fuzzy Hash: 27be53318bdbaa4914c7be955449a8919a6111ab3933a76580a60c12e5288d5a
Instruction Fuzzy Hash: 9F21E5B5901208EFDB40DFA4E949BEDBFB4FB18700F00421AF511E62A0D7B51548DF98

Function 0056065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0056039A: CreateFileW.KERNELBASE(00000000,00000000,?,00560704,?,?,00000000,?,00560704,00000000,0000000C), ref: 005603B7

GetLastError.KERNEL32 ref: 0056076F
__dosmaperr.LIBCMT ref: 00560776
GetFileType.KERNELBASE(00000000), ref: 00560782
GetLastError.KERNEL32 ref: 0056078C
__dosmaperr.LIBCMT ref: 00560795
CloseHandle.KERNEL32(00000000), ref: 005607B5
CloseHandle.KERNEL32(?), ref: 005608FF
GetLastError.KERNEL32 ref: 00560931
__dosmaperr.LIBCMT ref: 00560938

Strings

H, xrefs: 005608BD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0b1a583e2a46ad6d7a309eaa09e28163f89b21ed74a6747e9a85e64f9dc1ad66
Instruction ID: 651cbd961bf203190336d93fac3c473bb87be9b74fe957eea7b13a6f9716312c
Opcode Fuzzy Hash: 0b1a583e2a46ad6d7a309eaa09e28163f89b21ed74a6747e9a85e64f9dc1ad66
Instruction Fuzzy Hash: 89A14132A141098FDF19EF68DC55BAE3FA0FB46320F281159F811EB2D2DB349816CB91

Function 0052344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00523A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005F1418,?,00522E7F,?,?,?,00000000), ref: 00523A78

Part of subcall function 00523357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00523379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0052356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0056318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005631CE
RegCloseKey.ADVAPI32(?), ref: 00563210
_wcslen.LIBCMT ref: 00563277
_wcslen.LIBCMT ref: 00563286

Strings

Include, xrefs: 00563184, 005631C5
\, xrefs: 0056328C
\Include\, xrefs: 00523527
Software\AutoIt v3\AutoIt, xrefs: 00523560

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e9006e7439ba83420a77dd3bbd0e2bf4b08edc0b273ff50c3548904eb2ba9fea
Instruction ID: d45a17d35de52009ed60591f3ac61506b3ad71738606f3543b2afa048855b8e5
Opcode Fuzzy Hash: e9006e7439ba83420a77dd3bbd0e2bf4b08edc0b273ff50c3548904eb2ba9fea
Instruction Fuzzy Hash: FB715AB14043169FC314EF65E8859ABBFE8BFA5740F50082EF545D71A0EB389A48DB61

Function 00522B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00522B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00522B9D
LoadIconW.USER32(00000063), ref: 00522BB3
LoadIconW.USER32(000000A4), ref: 00522BC5
LoadIconW.USER32(000000A2), ref: 00522BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00522BEF
RegisterClassExW.USER32(?), ref: 00522C40

Part of subcall function 00522CD4: GetSysColorBrush.USER32(0000000F), ref: 00522D07
Part of subcall function 00522CD4: RegisterClassExW.USER32(00000030), ref: 00522D31
Part of subcall function 00522CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00522D42
Part of subcall function 00522CD4: InitCommonControlsEx.COMCTL32(?), ref: 00522D5F
Part of subcall function 00522CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00522D6F
Part of subcall function 00522CD4: LoadIconW.USER32(000000A9), ref: 00522D85
Part of subcall function 00522CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00522D94

Strings

0, xrefs: 00522C0F
AutoIt v3, xrefs: 00522C2F
#, xrefs: 00522C16

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 53ee402d4383ad269ed17ac0352bfcab3177d29efb4cb261552c9207c6c04923
Instruction ID: ddff06a5016a9c62746d2f87b2fcc58f80842705598c62cce29e524154f0c940
Opcode Fuzzy Hash: 53ee402d4383ad269ed17ac0352bfcab3177d29efb4cb261552c9207c6c04923
Instruction Fuzzy Hash: 72214C70E00715EBDB109FA6EC49AA97FB4FB68B50F00041AF500E66E0D7B91548EF9C

Function 0052B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052BB4E

Strings

x#_, xrefs: 00570207
p%_, xrefs: 0052B8DC
p#_, xrefs: 00570263
p#_, xrefs: 0057024F
p#_, xrefs: 0052BB6B
p#_, xrefs: 0052BA72
p%_, xrefs: 0052BB32
x#_, xrefs: 00570168

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#_$p#_$p#_$p#_$p%_$p%_$x#_$x#_
API String ID: 1385522511-2767588913
Opcode ID: ebd6bf89b7708508b63036339b976bf76a70c64774e8b36fba0cab142e3acba9
Instruction ID: 0a7d6010e6da582066d14684d7f31bd3056c8060f046ce58850ec07a3ff04820
Opcode Fuzzy Hash: ebd6bf89b7708508b63036339b976bf76a70c64774e8b36fba0cab142e3acba9
Instruction Fuzzy Hash: 9A32BD75A0022ADFEB10CF54E898ABABFF5FF45300F148459E909AB2D1C778AD81DB51

Function 00523170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0052316A,?,?), ref: 005231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0052316A,?,?), ref: 00523204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00523227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0052316A,?,?), ref: 00523232
CreatePopupMenu.USER32 ref: 00523246
PostQuitMessage.USER32(00000000), ref: 00523267

Strings

TaskbarCreated, xrefs: 0052322D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 954c4173ab7fa807ad888f6c379d019d105bd5c23e86317b3af08fc64c7f57b1
Instruction ID: 520b3f19fa92a91a6d217f660f4c0f3c8d59bf3ca854b7b79e965da6877a659c
Opcode Fuzzy Hash: 954c4173ab7fa807ad888f6c379d019d105bd5c23e86317b3af08fc64c7f57b1
Instruction Fuzzy Hash: 2D412335200A29E7DB141B68ED0EB7D3E69FF57300F040529F942D61E2CB6E9A04E7A9

Function 00521410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00521459
CoUninitialize.COMBASE ref: 005214F8
UnregisterHotKey.USER32(?), ref: 005216DD
DestroyWindow.USER32(?), ref: 005624B9
FreeLibrary.KERNEL32(?), ref: 0056251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0056254B

Strings

close all, xrefs: 00521454

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 055543d01195c9a10e8987cf52e46b74dc90b2e1cc900d4f2951cc5bca911582
Instruction ID: 5afa59b49eca3959c08af8838d9195526e11da40b60d428a8e7dc0f4fae505e7
Opcode Fuzzy Hash: 055543d01195c9a10e8987cf52e46b74dc90b2e1cc900d4f2951cc5bca911582
Instruction Fuzzy Hash: D7D18F31701623CFDB29EF14D499A69FFA4BF66700F1442ADE44A6B2A1DB30AD12CF54

Function 00522C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00522C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00522CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00521CAD,?), ref: 00522CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00521CAD,?), ref: 00522CCF

Strings

AutoIt v3, xrefs: 00522C89, 00522C8E, 00522C8F
edit, xrefs: 00522CAC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f6eff5ac3bb35c33b76b9e101b8cce6578a4694a5eef364587836bdb6ae976de
Instruction ID: 5959e8ad3d42663b9fe8ee38c9a735e1a34374e644cda8a7e845e4181fc53ed8
Opcode Fuzzy Hash: f6eff5ac3bb35c33b76b9e101b8cce6578a4694a5eef364587836bdb6ae976de
Instruction Fuzzy Hash: 38F0D076540690BAE73117176C08E772EBDD7D7F60B00045DF900D65A0CA652858EA78

Function 005210F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00521BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00521BF4
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00521BFC
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00521C07
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00521C12
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00521C1A
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00521C22

Part of subcall function 00521B4A: RegisterWindowMessageW.USER32(00000004,?,005212C4), ref: 00521BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0052136A
OleInitialize.OLE32 ref: 00521388
CloseHandle.KERNEL32(00000000,00000000), ref: 005624AB

Strings

x, xrefs: 0052117E
, xrefs: 005212AD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: x$
API String ID: 1986988660-2655978130
Opcode ID: d2691fc94e12a71efa07b475c1c0fee5d9924e56034a0fa4a33857fa948e72bc
Instruction ID: e843846c92ae1cca355f3f65d471cd7ab6026f6ca7d0bc4ff8137418436d2d7f
Opcode Fuzzy Hash: d2691fc94e12a71efa07b475c1c0fee5d9924e56034a0fa4a33857fa948e72bc
Instruction Fuzzy Hash: 2D71D0B4901A05CFC784EF7AA9496753EE1FBF9384704452AD00ADB2A1EB39540CEF4C

Function 0058E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0058E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0058E9A5
Sleep.KERNEL32(00000000), ref: 0058E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0058E9B7
Sleep.KERNELBASE ref: 0058E9F3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a09aaf47f958f957ecc4e425f7fec4bdcdd82b31e0af35e49f1dc358ec85b016
Instruction ID: 4a6fb057b2ce1c51ac7d3069e6628ffd4f1b98518c34545cd4d1a925f6cef4db
Opcode Fuzzy Hash: a09aaf47f958f957ecc4e425f7fec4bdcdd82b31e0af35e49f1dc358ec85b016
Instruction Fuzzy Hash: C0016931D01629DBCF40AFE8DC4AAEDBF78FF18301F000646E942B2241CB70A558DBA5

Function 00523B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B83

Strings

Control Panel\Mouse, xrefs: 00523B3E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 10a7567818f093dcd66623e3d3a63fc4b19ddaf6bc8730c3e2288cc76b6df1e7
Instruction ID: 17d2950c5dcdef0d18312b527db4b03a00c12065a01d8853448e78923d71572d
Opcode Fuzzy Hash: 10a7567818f093dcd66623e3d3a63fc4b19ddaf6bc8730c3e2288cc76b6df1e7
Instruction Fuzzy Hash: 58112AB5511218FFDB208FA5EC88AAEBBB8FF05744B104959B805D7150E235AE44AB64

Function 00523923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005633A2

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00523A04

Strings

Line: , xrefs: 005633EB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 54002f2d7684d13059043d03c845a368631d9961531e2059a5f8d48ce919c7f1
Instruction ID: dd508f9a9ba7dc7e70929b0177568218288de0039df7a60a8b253b693ab2c7ef
Opcode Fuzzy Hash: 54002f2d7684d13059043d03c845a368631d9961531e2059a5f8d48ce919c7f1
Instruction Fuzzy Hash: FA31E471508325AAC725EB10EC49BEB7BD8BF92310F100D2AF599831D1EB789648CBC6

Function 00522DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00562C8C

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 00522DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00522DC4

Strings

X, xrefs: 00562C5A
`e^, xrefs: 00562C85

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e^
API String ID: 779396738-1033855823
Opcode ID: cbdad7de7b1f777ffd1827e5174b73486487b826829948cdf34e7e591c0b2b47
Instruction ID: e0126f0dab516e1dfc13f83c5a06ca196514e0cdb13210d0815b8e3ff99e036c
Opcode Fuzzy Hash: cbdad7de7b1f777ffd1827e5174b73486487b826829948cdf34e7e591c0b2b47
Instruction Fuzzy Hash: B9219971A00258AFDF05DF94D8497EE7FFCBF99314F004059E445A7281DBB859498FA1

Function 0053FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00540668

Part of subcall function 005432A4: RaiseException.KERNEL32(?,?,?,0054068A,?,005F1444,?,?,?,?,?,?,0054068A,00521129,005E8738,00521129), ref: 00543304

__CxxThrowException@8.LIBVCRUNTIME ref: 00540685

Strings

Unknown exception, xrefs: 00540692

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f30c650660514f7c54c6a8817dec857edde2d4c93fd63232d572d7c3fb597a00
Instruction ID: 778426b57a9426b50fb839311504533861ca9ad8db2614c1e37fca7ac8083943
Opcode Fuzzy Hash: f30c650660514f7c54c6a8817dec857edde2d4c93fd63232d572d7c3fb597a00
Instruction Fuzzy Hash: 06F0C83490020E778F04B665D84ECDD7F6CBE80318B704931B914965E1EF71DA25CA80

Function 0058C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00523923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00523A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0058C259
KillTimer.USER32(?,00000001,?,?), ref: 0058C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0058C270

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e82e1776d4f432ddecbf51eb044e7140c7231e7af82ccd6f13e5cd8e38b71cd4
Instruction ID: c451568079bd3e8285aa61c0c7a657fc5042b66f60742215bc013de2421be312
Opcode Fuzzy Hash: e82e1776d4f432ddecbf51eb044e7140c7231e7af82ccd6f13e5cd8e38b71cd4
Instruction Fuzzy Hash: 3B31B674904354AFEB629F648855BE6BFECAB16304F00049DD5DAA7181C7746A88CB61

Function 005586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005585CC,?,005E8CC8,0000000C), ref: 00558704
GetLastError.KERNEL32(?,005585CC,?,005E8CC8,0000000C), ref: 0055870E
__dosmaperr.LIBCMT ref: 00558739

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b172a2c0e234f7ee37b16458b108c6e4c7c8a47203fe001e6d853e8295fab210
Instruction ID: 638c7209d39285b16bcece34b1415fe27f823e37e31315501c9feebb30ba382a
Opcode Fuzzy Hash: b172a2c0e234f7ee37b16458b108c6e4c7c8a47203fe001e6d853e8295fab210
Instruction Fuzzy Hash: 15016B32A1522017D7606634A87977E2F49AFE1776F3A061BFC08AB1D2EEA18C8DC150

Function 0052DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0052DB7B
DispatchMessageW.USER32(?), ref: 0052DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB9F
Sleep.KERNELBASE(0000000A), ref: 0052DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00571CC9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d54572a7198659e955e4c4dc0c522a03fe6deb7e4d23deb91c29190e061aeacf
Instruction ID: 0c57bdd89b2177e23cc279640442a0e78013dda284a2da849d55b8af49c792ca
Opcode Fuzzy Hash: d54572a7198659e955e4c4dc0c522a03fe6deb7e4d23deb91c29190e061aeacf
Instruction Fuzzy Hash: 26F05E306443449BEB70CBA09C59FEA7BBCFF95350F104A18E64AC30C0DB34A448EB29

Function 00531310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005317F6

Strings

CALL, xrefs: 005317C6

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0c229849468d4064c729092af871ab99ccef49c151281aba7e15cb335e9f714f
Instruction ID: 88093ce61c1b2cf18c336408d0888e3af9484511b3da8fc527768ec66267b9b6
Opcode Fuzzy Hash: 0c229849468d4064c729092af871ab99ccef49c151281aba7e15cb335e9f714f
Instruction Fuzzy Hash: 73228B706086029FC714DF24D485A2ABFF1BF89314F18896DF49A8B3A2D731E845DF96

Function 00523837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00523908

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 90e0b21ff82b8a3b49c0f0124ade2af91f8f514decb5066aca806e5484ce0de1
Instruction ID: d82c56289210cbb60891888f3f1e23f2d810cb8e1b190fc62ca9222b3b00c05b
Opcode Fuzzy Hash: 90e0b21ff82b8a3b49c0f0124ade2af91f8f514decb5066aca806e5484ce0de1
Instruction Fuzzy Hash: 30318D70605711CFD720DF24D8857A7BBE4FF5A308F00092EF59997280E775AA48DB56

Function 0053F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0053F661

Part of subcall function 0052D730: GetInputState.USER32 ref: 0052D807

Sleep.KERNEL32(00000000), ref: 0057F2DE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: ed8f8a60d3b8389f4aa25c4472deade5f272f171c964edc2a60054c2bd9365d6
Instruction ID: 70be431fbe8ab8690082784baee9c17e04b1945dc71ddd65460c417aa1398589
Opcode Fuzzy Hash: ed8f8a60d3b8389f4aa25c4472deade5f272f171c964edc2a60054c2bd9365d6
Instruction Fuzzy Hash: A7F082312406169FD350EF69E449B5ABFE4FF96760F004129E859CB2A1DB70B800CB94

Function 005B13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 005B1420

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3300cb3e7267d3a62627d424d27558c232f21bd95b0d15b7097fb4ef1199b930
Instruction ID: 78bdc53e9076258e261416b2aa039ceb1226d074768e2e86f89a490119756610
Opcode Fuzzy Hash: 3300cb3e7267d3a62627d424d27558c232f21bd95b0d15b7097fb4ef1199b930
Instruction Fuzzy Hash: 3631BD30204603AFCB54EF29C499BA9BBA2FF85324F548168E8164B282DB71FC40CBD0

Function 00524ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00524E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E9C
Part of subcall function 00524E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524EAE
Part of subcall function 00524E90: FreeLibrary.KERNEL32(00000000,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EFD

Part of subcall function 00524E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E62
Part of subcall function 00524E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524E74
Part of subcall function 00524E59: FreeLibrary.KERNEL32(00000000,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E87

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 09f8cf7b91457a60e3ff6522e30b91a68f96ad66feae440c8c57ec352b04326d
Instruction ID: 73a860ce978a574a42a8edb7a3a78d911cf6315594de8b9ae1dfadbb5265f6c8
Opcode Fuzzy Hash: 09f8cf7b91457a60e3ff6522e30b91a68f96ad66feae440c8c57ec352b04326d
Instruction Fuzzy Hash: CC112731600216AADF24AB60ED0AFED7FA4BFD1710F10442DF542A62C1EE709E049F50

Function 00558402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00558440

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8d267d4f6414a340bde614df07fc48e0d9bcfe424d5f8b379c80c15a0c5ae5ff
Instruction ID: 70afacacd3a20fc7b22d1fa087a1ff7e90d6aaa394bba8a954839d992116ec06
Opcode Fuzzy Hash: 8d267d4f6414a340bde614df07fc48e0d9bcfe424d5f8b379c80c15a0c5ae5ff
Instruction Fuzzy Hash: 1911367190410AAFCF05DF58E9409AA7BF9FF48304F14445AFC09AB312DA30DA15CBA4

Function 00555000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00554C7D: RtlAllocateHeap.NTDLL(00000008,00521129,00000000,?,00552E29,00000001,00000364,?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?), ref: 00554CBE

_free.LIBCMT ref: 0055506C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1eb54372ca6f326e78206fcd251960e38803e41c700b9bd8ae404d41ed582db4
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F7012B722047059BE3218E55D85995AFFE8FBC5371F65051EE984932C0E6306809C774

Function 005B29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,005B14B5,?), ref: 005B2A01

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 53e09c35fd2f5db39eafb1266fc1708e74db1d103c37b2fd3ef83d10fe733d2a
Instruction ID: 1b9c8245b37671d9bff3e632a11bfa65da43861e697e218211f089539393f7da
Opcode Fuzzy Hash: 53e09c35fd2f5db39eafb1266fc1708e74db1d103c37b2fd3ef83d10fe733d2a
Instruction Fuzzy Hash: 9701D836300A429FD324CA2DC454BA23F92FBC5314F698568C04B8B251DB72FC82C7B0

Function 0054E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d929fa189da14bc73dda6f967e1f828fc7c3e8532cfcf214278737a57574ff27
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C4F0F932510A1196C7313A79AC1EBD73F9CBFD3339F110B16F825931D1CB7498058AA5

Function 00554C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00521129,00000000,?,00552E29,00000001,00000364,?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?), ref: 00554CBE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e81dedb40f859857c452c60578f03ee2fea4f20601f4b2de2a5c4d563e25ad97
Instruction ID: a57a0eb50cbf30d3968c749f5a4e65d40bf26bb0a55df9671e7d2d3275698b26
Opcode Fuzzy Hash: e81dedb40f859857c452c60578f03ee2fea4f20601f4b2de2a5c4d563e25ad97
Instruction Fuzzy Hash: 88F0E93161622567DB215F769C19B9A3F88BFD17AEB144123BC15E7281CA70DC489EE0

Function 00553820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7e92245e35af8116e65b7d556f6d8d3b6508f285aebe6560c9d2fcbb060215e
Instruction ID: 864618f5f8f1b19b81483d5689b5d00bd280df64d24e29d3528ed98c749f8b0c
Opcode Fuzzy Hash: f7e92245e35af8116e65b7d556f6d8d3b6508f285aebe6560c9d2fcbb060215e
Instruction Fuzzy Hash: FDE0E531102225A6D73526769C24BDA3E48BB827F6F050123BC1CA3580CB51DD0986E1

Function 00524F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524F6D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e0c6e5b1f7e3c87e55f456507bf7c43fdfccf97751c7761460777ed2f9c30e1c
Instruction ID: 65124cd8997748f8e44e6e97020e4ab3193f975df4e97e38ca37e9fbf17ec8df
Opcode Fuzzy Hash: e0c6e5b1f7e3c87e55f456507bf7c43fdfccf97751c7761460777ed2f9c30e1c
Instruction Fuzzy Hash: 29F03071105762CFDB349F64E594812BFE4FF553197108D7EE1EA82651C7319844DF10

Function 005B2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005B2A66

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 95cacd1e1a167ee87dd1d3ae316cc34b93ba9e312f88c8182ff6dbaecd24c9be
Instruction ID: 89bf5e04b6fd137a4beb8b4605ae9bdc86d0ff53e3f47620421d27bcd78e09b3
Opcode Fuzzy Hash: 95cacd1e1a167ee87dd1d3ae316cc34b93ba9e312f88c8182ff6dbaecd24c9be
Instruction Fuzzy Hash: 70E04F36350117AAC754EE30DC858FE7F5CFB90395B104536EC26D2110DB70A99596B4

Function 005230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0052314E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 01a134bfb1d71b70a3291eb2ac856e0306185c66ff8bbce3efae8f39294034c3
Instruction ID: 24764e55e5f740d04e3db2f6914e94c79414d5a5a2c6acfdcb5d1039afbc2c7e
Opcode Fuzzy Hash: 01a134bfb1d71b70a3291eb2ac856e0306185c66ff8bbce3efae8f39294034c3
Instruction Fuzzy Hash: 9CF082709003189FEB529B24DC4ABEA7ABCAB01708F0000E5A148D6182DB745B88CB45

Function 00522DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00522DC4

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 516b7a5c161ae9f672d38edc0643d4eddc8744e3c879c5a736771451fb957513
Instruction ID: 9271567be64fdd4b46b4f5eea9e0c09fefbefeef6a109bb2c2c656bfb2914076
Opcode Fuzzy Hash: 516b7a5c161ae9f672d38edc0643d4eddc8744e3c879c5a736771451fb957513
Instruction Fuzzy Hash: 8BE0CD766001245BC7209258DC09FEABBDDEFC8790F040171FD49D7248D960AD848554

Function 00522B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00523837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00523908

Part of subcall function 0052D730: GetInputState.USER32 ref: 0052D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00522B6B

Part of subcall function 005230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0052314E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 16b8bda47438148dd3db84409f029f90b7663ab8d863ab52b2f9b1fd70056d62
Instruction ID: 6f672225d0d469cb57b14b417b7ee7600d7ef2fb15a8184fdb04c045e284b9da
Opcode Fuzzy Hash: 16b8bda47438148dd3db84409f029f90b7663ab8d863ab52b2f9b1fd70056d62
Instruction Fuzzy Hash: 7DE0262130022A02CB08BB34B81E5BDAF99FFE3351F40053EF142831E2CE2D46498261

Function 0056039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00560704,?,?,00000000,?,00560704,00000000,0000000C), ref: 005603B7

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 328031fb24ecfd9e6dd6d26c144e67db2df1e4a2dee0fdab891d2dd26d3b0dd2
Instruction ID: 6e2fc4586c862c9532894bc04ea94dfe61e5ebdc99610de2b9bf650625aa78d9
Opcode Fuzzy Hash: 328031fb24ecfd9e6dd6d26c144e67db2df1e4a2dee0fdab891d2dd26d3b0dd2
Instruction Fuzzy Hash: 0AD06C3204010DBBDF028F84DD06EDA3FAAFB48714F014100BE1866020C732E821EB94

Function 00521CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00521CBC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c9ac89450a85772bd694e50039e24bac42d50e94cd46ffee9f53bff597319c5e
Instruction ID: 0497e169268d9c5bc48108bc674d0615fe4c133f5ae5c2e8461cf896320716fb
Opcode Fuzzy Hash: c9ac89450a85772bd694e50039e24bac42d50e94cd46ffee9f53bff597319c5e
Instruction Fuzzy Hash: E8C09236280705EFF2248B80BC4AF207B65A368B01F048401F609E95E3C3A62828FA68

Non-executed Functions

Function 005B9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005B96C9
SendMessageW.USER32 ref: 005B96F2
GetKeyState.USER32(00000011), ref: 005B978B
GetKeyState.USER32(00000009), ref: 005B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005B97AE
GetKeyState.USER32(00000010), ref: 005B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005B97E9
SendMessageW.USER32 ref: 005B9810
SendMessageW.USER32(?,00001030,?,005B7E95), ref: 005B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005B9941
SetCapture.USER32(?), ref: 005B994A
ClientToScreen.USER32(?,?), ref: 005B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005B99D6
ReleaseCapture.USER32 ref: 005B99E1
GetCursorPos.USER32(?), ref: 005B9A19
ScreenToClient.USER32(?,?), ref: 005B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005B9A80
SendMessageW.USER32 ref: 005B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005B9AEB
SendMessageW.USER32 ref: 005B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005B9B4A
GetCursorPos.USER32(?), ref: 005B9B68
ScreenToClient.USER32(?,?), ref: 005B9B75
GetParent.USER32(?), ref: 005B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005B9BFA
SendMessageW.USER32 ref: 005B9C2B
ClientToScreen.USER32(?,?), ref: 005B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005B9CDE
SendMessageW.USER32 ref: 005B9D01
ClientToScreen.USER32(?,?), ref: 005B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005B9D82

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

GetWindowLongW.USER32(?,000000F0), ref: 005B9E05

Strings

p#_, xrefs: 005B9990
F, xrefs: 005B9D07
@GUI_DRAGID, xrefs: 005B997D
(_, xrefs: 005B9728, 005B9894, 005B98B7, 005B98EF, 005B9A3C, 005B9BB7, 005B9C5E, 005B9C8E, 005B9D2C, 005B9D58, 005B9DA1, 005B9DF2, 005B9E16, 005B9E40

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: (_$@GUI_DRAGID$F$p#_
API String ID: 3429851547-673511849
Opcode ID: 06ac9380efbcedf5b9b682b22eb07a779c0242f5d62b206f609cf3076c08972d
Instruction ID: 6da1d4e0db5b129cc2b62ca8c70c3d887d685a343fe15627a0c02d93de4b809e
Opcode Fuzzy Hash: 06ac9380efbcedf5b9b682b22eb07a779c0242f5d62b206f609cf3076c08972d
Instruction Fuzzy Hash: 75428A74204241AFDB24CF28CC48EEABFE5FF99310F104A19F6998B2A1D771E854DB95

Function 005B4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005B4A7E
IsMenu.USER32(?), ref: 005B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005B4B20
GetWindowLongW.USER32(?,000000F0), ref: 005B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005B4C82
wsprintfW.USER32 ref: 005B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005B4D5A

Strings

%d/%02d/%02d, xrefs: 005B4CA8
(_, xrefs: 005B489F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$(_
API String ID: 4054740463-3147507909
Opcode ID: 8cb00c1920aed394fb0dc50d64867179fc156a7ab1758764579b20cd7b7bef3a
Instruction ID: b5cb88d7b07e72fa77dfffb43c51e24a43c82a7cc0778e78b42534eb4a01354e
Opcode Fuzzy Hash: 8cb00c1920aed394fb0dc50d64867179fc156a7ab1758764579b20cd7b7bef3a
Instruction Fuzzy Hash: 0312AB71600215ABEB358F28CC49FEE7FB8BB89710F104629F515EB2A2DB74A941DF50

Function 0053F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0053F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0057F474
IsIconic.USER32(00000000), ref: 0057F47D
ShowWindow.USER32(00000000,00000009), ref: 0057F48A
SetForegroundWindow.USER32(00000000), ref: 0057F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0057F4AA
GetCurrentThreadId.KERNEL32 ref: 0057F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0057F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0057F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0057F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0057F4DE
SetForegroundWindow.USER32(00000000), ref: 0057F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F4F6
keybd_event.USER32(00000012,00000000), ref: 0057F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F50B
keybd_event.USER32(00000012,00000000), ref: 0057F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F519
keybd_event.USER32(00000012,00000000), ref: 0057F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F528
keybd_event.USER32(00000012,00000000), ref: 0057F52D
SetForegroundWindow.USER32(00000000), ref: 0057F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0057F557

Strings

Shell_TrayWnd, xrefs: 0057F46F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0a88840bf934210bea556772d66933e28a59d85e62c2be4c08b19369fe26fe7b
Instruction ID: 545ea03317160cd78e1d03d212a2c687e89aee1d4e2b437e35d6af5f81e81896
Opcode Fuzzy Hash: 0a88840bf934210bea556772d66933e28a59d85e62c2be4c08b19369fe26fe7b
Instruction Fuzzy Hash: E2315E71A40218BBEB306BB59C4AFBF7E6CFB44B50F104566FA05E61D1C6B16900BBA4

Function 00581201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
Part of subcall function 005816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
Part of subcall function 005816C3: GetLastError.KERNEL32 ref: 0058174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00581286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005812A8
CloseHandle.KERNEL32(?), ref: 005812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005812D1
GetProcessWindowStation.USER32 ref: 005812EA
SetProcessWindowStation.USER32(00000000), ref: 005812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00581310

Part of subcall function 005810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005811FC), ref: 005810D4
Part of subcall function 005810BF: CloseHandle.KERNEL32(?,?,005811FC), ref: 005810E9

Strings

default, xrefs: 0058130B
, xrefs: 0058125A
Z^, xrefs: 00581392
winsta0, xrefs: 005812CC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z^
API String ID: 22674027-2132372335
Opcode ID: 9ca971157dfae38a530283e074da8823c4dbee05713ce84dea064ab1023255e0
Instruction ID: 68d6611442a914855e753c09eb0c833a750ada386097badd27f28c19f665d650
Opcode Fuzzy Hash: 9ca971157dfae38a530283e074da8823c4dbee05713ce84dea064ab1023255e0
Instruction Fuzzy Hash: 5A816871900609ABDF21AFA8DC49BEE7FBDFF04704F144129F911B61A0D731994ADB28

Function 00580B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
Part of subcall function 005810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
Part of subcall function 005810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
Part of subcall function 005810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00580BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00580C00
GetLengthSid.ADVAPI32(?), ref: 00580C17
GetAce.ADVAPI32(?,00000000,?), ref: 00580C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00580C6D
GetLengthSid.ADVAPI32(?), ref: 00580C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00580C8C
HeapAlloc.KERNEL32(00000000), ref: 00580C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00580CB4
CopySid.ADVAPI32(00000000), ref: 00580CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00580CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00580D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00580D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D45
HeapFree.KERNEL32(00000000), ref: 00580D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D55
HeapFree.KERNEL32(00000000), ref: 00580D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D65
HeapFree.KERNEL32(00000000), ref: 00580D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00580D78
HeapFree.KERNEL32(00000000), ref: 00580D7F

Part of subcall function 00581193: GetProcessHeap.KERNEL32(00000008,00580BB1,?,00000000,?,00580BB1,?), ref: 005811A1
Part of subcall function 00581193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00580BB1,?), ref: 005811A8
Part of subcall function 00581193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00580BB1,?), ref: 005811B7

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bc6ce303de2d6f3164f7f1b3cd133b26cf5c51c98dbe763e854a3c46b60700d9
Instruction ID: edc451d756cff16e0493f2b45485bd68df5291f9edb96c381f35358683b411d2
Opcode Fuzzy Hash: bc6ce303de2d6f3164f7f1b3cd133b26cf5c51c98dbe763e854a3c46b60700d9
Instruction Fuzzy Hash: BA716A7290120AAFDF90EFA4DC49BAEBFB8BF14300F045615E914B7191D771AA09CB60

Function 0059EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005BCC08), ref: 0059EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0059EB37
GetClipboardData.USER32(0000000D), ref: 0059EB43
CloseClipboard.USER32 ref: 0059EB4F
GlobalLock.KERNEL32(00000000), ref: 0059EB87
CloseClipboard.USER32 ref: 0059EB91
GlobalUnlock.KERNEL32(00000000), ref: 0059EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0059EBC9
GetClipboardData.USER32(00000001), ref: 0059EBD1
GlobalLock.KERNEL32(00000000), ref: 0059EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0059EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0059EC38
GetClipboardData.USER32(0000000F), ref: 0059EC44
GlobalLock.KERNEL32(00000000), ref: 0059EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0059EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0059EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0059ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0059ECF3
CountClipboardFormats.USER32 ref: 0059ED14
CloseClipboard.USER32 ref: 0059ED59

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7662738c4fd72e333c60e0ccc0d203bb1e9944b4ec35660c65cd02a371520b9b
Instruction ID: 9eaf41846e94f1fc2f49d82ff86d34a4d4142165beaf2efd7ac8e30d8d3b3eeb
Opcode Fuzzy Hash: 7662738c4fd72e333c60e0ccc0d203bb1e9944b4ec35660c65cd02a371520b9b
Instruction Fuzzy Hash: CF61BE352043029FD700EF24D88AF6ABFA4BF95714F14451DF496972A2DB31ED09DB62

Function 0059698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005969BE
FindClose.KERNEL32(00000000), ref: 00596A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00596A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00596A75

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00596AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00596ADF

Strings

%03d, xrefs: 00596DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00596B32
%4d%02d%02d%02d%02d%02d, xrefs: 00596B6A
%4d, xrefs: 00596BB1
%02d, xrefs: 00596C00, 00596C0A, 00596C5A, 00596CAA, 00596CFA, 00596D4A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 760007c25133de121655c2b615e4203fb27e11e25d2c37878f1731b597cb2b75
Instruction ID: 29ac4727a0f8fab831061985fad2cc4444ceb91cd89122689e8b13ac4405090c
Opcode Fuzzy Hash: 760007c25133de121655c2b615e4203fb27e11e25d2c37878f1731b597cb2b75
Instruction Fuzzy Hash: 50D180B1508311AFC700EBA0D995EAFBBECBF99704F04491DF585D6291EB34DA48CB62

Function 00599642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00599663
GetFileAttributesW.KERNEL32(?), ref: 005996A1
SetFileAttributesW.KERNEL32(?,?), ref: 005996BB
FindNextFileW.KERNEL32(00000000,?), ref: 005996D3
FindClose.KERNEL32(00000000), ref: 005996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0059974A
SetCurrentDirectoryW.KERNEL32(005E6B7C), ref: 00599768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00599772
FindClose.KERNEL32(00000000), ref: 0059977F
FindClose.KERNEL32(00000000), ref: 0059978F

Strings

*.*, xrefs: 005996F5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 63e366f655f45f968fbae92762528caf73ec37d70a280091f24079076c5d3a1e
Instruction ID: af71b93bda00d47972544d39ccb87588ac4b27329449e2350c428fe9611483e6
Opcode Fuzzy Hash: 63e366f655f45f968fbae92762528caf73ec37d70a280091f24079076c5d3a1e
Instruction Fuzzy Hash: 1831E23650021A6BCF14AFF9DC48ADE7FACFF5A360F14425AF955E2090EB30ED448A24

Function 0059979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00599819
FindClose.KERNEL32(00000000), ref: 00599824
FindFirstFileW.KERNEL32(*.*,?), ref: 00599840
SetCurrentDirectoryW.KERNEL32(?), ref: 00599890
SetCurrentDirectoryW.KERNEL32(005E6B7C), ref: 005998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005998B8
FindClose.KERNEL32(00000000), ref: 005998C5
FindClose.KERNEL32(00000000), ref: 005998D5

Part of subcall function 0058DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0058DB00

Strings

*.*, xrefs: 0059983B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f43254dec2c82d959895a90e7a2187c7580acdc95b2315ab26ac06295ff1b3b7
Instruction ID: e52e81020d35964c24cf348f659a5b58c794adf6f46334c64e07920b3cc608a2
Opcode Fuzzy Hash: f43254dec2c82d959895a90e7a2187c7580acdc95b2315ab26ac06295ff1b3b7
Instruction Fuzzy Hash: E631F63250061A6BDF14EFB9DC48ADE7FACBF46360F14415DE850A2090EB70ED45CA64

Function 005ABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005ABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005ABFA9
RegCloseKey.ADVAPI32(00000000), ref: 005ABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005AC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005AC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005AC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005AC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005AC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005AC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005AC382
RegCloseKey.ADVAPI32(00000000), ref: 005AC38F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 7691947f471778697819923a1e65f5475d4d5d97d782b91c1cd461a3bd0c181d
Instruction ID: 4e398f82a2845f2cdd5b5b7992476bf7f873b8da0a9bf49fd7d95bdc3e3e05f1
Opcode Fuzzy Hash: 7691947f471778697819923a1e65f5475d4d5d97d782b91c1cd461a3bd0c181d
Instruction Fuzzy Hash: E5021B716042019FDB14DF24C895E2EBFE5BF8A314F18889DF84A9B2A2D731ED45CB91

Function 00598195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00598257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00598267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00598273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00598310
SetCurrentDirectoryW.KERNEL32(?), ref: 00598324
SetCurrentDirectoryW.KERNEL32(?), ref: 00598356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0059838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00598395

Strings

*.*, xrefs: 0059839B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bec181b856445a9e1d3178571238d748e983cabcfd10a5dd346152dfd1368d40
Instruction ID: 5809cb3e346dc20208f9be8b163a43a1eb8a423dbd4896b057b25540af12e868
Opcode Fuzzy Hash: bec181b856445a9e1d3178571238d748e983cabcfd10a5dd346152dfd1368d40
Instruction Fuzzy Hash: 98616B765043069FCB10EF60D8459AEBBE8FF8A314F04491DF989D7251EB31E949CB92

Function 0058D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

FindFirstFileW.KERNEL32(?,?), ref: 0058D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0058D1DD
MoveFileW.KERNEL32(?,?), ref: 0058D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0058D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058D237

Part of subcall function 0058D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0058D21C,?,?), ref: 0058D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0058D253
FindClose.KERNEL32(00000000), ref: 0058D264

Strings

\*.*, xrefs: 0058D0CD, 0058D0D6, 0058D0EB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 720582c2d8dd893bc47fd3f982c28831a8cbc50362bdefac74b9c39cab3e3eba
Instruction ID: d369d980a58f60ed01cf38416a8947b8dd08ba550a1696f697079b6741279e82
Opcode Fuzzy Hash: 720582c2d8dd893bc47fd3f982c28831a8cbc50362bdefac74b9c39cab3e3eba
Instruction Fuzzy Hash: 9A61383580111EAACF05FBA0E99A9EDBFB5BF96300F244165E802771D1EB316F09DB60

Function 0059ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0059ED91
EmptyClipboard.USER32 ref: 0059ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0059EDAC
CloseClipboard.USER32 ref: 0059EEA3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1cc71ea80e882ab6753e5540dd050e8509ec5e23ecba95f6e1b7c338ede9f4cb
Instruction ID: 747540d70e86a058ab9fe120284dd42ea2bdc44da4696c154228fbf674e0f511
Opcode Fuzzy Hash: 1cc71ea80e882ab6753e5540dd050e8509ec5e23ecba95f6e1b7c338ede9f4cb
Instruction Fuzzy Hash: 7141AB35204612AFEB20CF19E88AF1ABFA5FF55328F148599E4158B6A2C735FC41CB90

Function 0058E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
Part of subcall function 005816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
Part of subcall function 005816C3: GetLastError.KERNEL32 ref: 0058174A

ExitWindowsEx.USER32(?,00000000), ref: 0058E932

Strings

SeShutdownPrivilege, xrefs: 0058E902
, xrefs: 0058E95C
, xrefs: 0058E920
@, xrefs: 0058E925

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ebab04642497bfd48653ed06db6407227cf915a627293f090f30111a15866061
Instruction ID: 5524edb452c36f95e3b8618e51ffe52dad80dbc3467d789680e6fa254d31fb53
Opcode Fuzzy Hash: ebab04642497bfd48653ed06db6407227cf915a627293f090f30111a15866061
Instruction Fuzzy Hash: 0B01F232610211ABEB6432B49C8BBBB7A6CB714750F140921FC02F21E2D6E0AC4493A4

Function 005A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 005A1276
WSAGetLastError.WSOCK32 ref: 005A1283
bind.WSOCK32(00000000,?,00000010), ref: 005A12BA
WSAGetLastError.WSOCK32 ref: 005A12C5
closesocket.WSOCK32(00000000), ref: 005A12F4
listen.WSOCK32(00000000,00000005), ref: 005A1303
WSAGetLastError.WSOCK32 ref: 005A130D
closesocket.WSOCK32(00000000), ref: 005A133C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 854b87973d0db3c7b0c666c80cad9025267c2c14b73f0b3b6f599e138b0ae0c0
Instruction ID: dd42b26c3beceaf0551757666b2d5c20a227711a2bd6c8a6ee33f56b47d88c5f
Opcode Fuzzy Hash: 854b87973d0db3c7b0c666c80cad9025267c2c14b73f0b3b6f599e138b0ae0c0
Instruction Fuzzy Hash: 0B41AE35A005119FD710DF24D488B2ABFE6BF86318F188188E8568F2D2C771EC85CBE4

Function 0055B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0055B9D4
_free.LIBCMT ref: 0055B9F8
_free.LIBCMT ref: 0055BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005C3700), ref: 0055BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0055BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005F1270,000000FF,?,0000003F,00000000,?), ref: 0055BC36
_free.LIBCMT ref: 0055BD4B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e24b83008a3a87a0469ad4d9afd655a32004a8bb6566613d7ab136028209326
Instruction ID: a40cb08f02d5552ac02949d56e81f551c5e0d5db5625509b394a1d174af381c9
Opcode Fuzzy Hash: 8e24b83008a3a87a0469ad4d9afd655a32004a8bb6566613d7ab136028209326
Instruction Fuzzy Hash: B8C12571904206AFEB209F69C869BAE7FB8FF81312F14459BEC94D7291E7308E49C750

Function 0058D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

FindFirstFileW.KERNEL32(?,?), ref: 0058D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0058D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058D481
FindClose.KERNEL32(00000000), ref: 0058D498
FindClose.KERNEL32(00000000), ref: 0058D4A1

Strings

\*.*, xrefs: 0058D3F2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 61076fd252a9aec658202082cb7303b14c29ea52c74aa97ea3be391f7a4bed23
Instruction ID: c144fac0c53bb3324955f3ed78560de4d8225061c92a60f1b6eb298547c50fa1
Opcode Fuzzy Hash: 61076fd252a9aec658202082cb7303b14c29ea52c74aa97ea3be391f7a4bed23
Instruction Fuzzy Hash: 32315E710083569BC704EF64D8558AFBFE8BEE2310F444E1DF8D1521E1EB64AA0DDB62

Function 0055E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0055E645

Strings

1#SNAN, xrefs: 0055F844
1#QNAN, xrefs: 0055F84B
1#INF, xrefs: 0055F852
1#IND, xrefs: 0055F83D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 270e82af8f719929ccff3af275010a6692b686473ea660f5a612bfbd9f0220e9
Instruction ID: 5b17fbd1502d3c2d0758b6ce0b22298ec9fd4794f34abb869d975b2c37799686
Opcode Fuzzy Hash: 270e82af8f719929ccff3af275010a6692b686473ea660f5a612bfbd9f0220e9
Instruction Fuzzy Hash: 00C25B71D046288FDB29CE28DD557EABBB5FB44306F1445EAD80DE7240E774AE898F40

Function 0059648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005964DC
CoInitialize.OLE32(00000000), ref: 00596639
CoCreateInstance.OLE32(005BFCF8,00000000,00000001,005BFB68,?), ref: 00596650
CoUninitialize.OLE32 ref: 005968D4

Strings

.lnk, xrefs: 005964BA, 00596524, 005965E0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 94da644d646847cb68502ba6eb86558f6492ce4f4b4c5d151016ff863b0f67d6
Instruction ID: 07d2931181623a4a3546ca39d2d6ab80cae032c17fc9a9e76a517a624b6592c2
Opcode Fuzzy Hash: 94da644d646847cb68502ba6eb86558f6492ce4f4b4c5d151016ff863b0f67d6
Instruction Fuzzy Hash: 25D14871508212AFC704EF24D89596BBBE8FFD9304F40496DF5958B2A1EB70ED09CB92

Function 005A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005A22E8

Part of subcall function 0059E4EC: GetWindowRect.USER32(?,?), ref: 0059E504

GetDesktopWindow.USER32 ref: 005A2312
GetWindowRect.USER32(00000000), ref: 005A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005A2355
GetCursorPos.USER32(?), ref: 005A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005A23DF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 7ed5ddeed34d1707cf2b4b42201df5eec49a8bbff92cde249d9a4ec56108a577
Instruction ID: 82bb8c495bdf1294c51f8c7c8384fbbcaf6066222db11766094042bb8e10c88e
Opcode Fuzzy Hash: 7ed5ddeed34d1707cf2b4b42201df5eec49a8bbff92cde249d9a4ec56108a577
Instruction Fuzzy Hash: 2B31D072504315AFCB20DF18C84AF5FBBA9FF86310F000A1AF985A7181DB34E908CB92

Function 00599B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00599B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00599C8B

Part of subcall function 00593874: GetInputState.USER32 ref: 005938CB
Part of subcall function 00593874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00593966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00599BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00599C75

Strings

*.*, xrefs: 00599B5D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 02a7027c82959f8a28c62721a65f8ea0164d78fae5f903d37e2d4837b27c0bc9
Instruction ID: 23fc1e6aaf6a3758c0699e7d266a05eebcaa443a4f92c23cd45538de40f03fde
Opcode Fuzzy Hash: 02a7027c82959f8a28c62721a65f8ea0164d78fae5f903d37e2d4837b27c0bc9
Instruction Fuzzy Hash: 8B41817190420A9FCF54DF68DC89AEEBFB8FF55310F24455AE805A2191EB34AE44CF60

Function 0053997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00539A4E
GetSysColor.USER32(0000000F), ref: 00539B23
SetBkColor.GDI32(?,00000000), ref: 00539B36

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3f200f1af817ad29d608863bfef4d436441d6ffef190891a1334b009263630f4
Instruction ID: d8c331868d1dae48e11aa02b5ac52ba979acd3f6e52fa5bdeae33f168400d2ad
Opcode Fuzzy Hash: 3f200f1af817ad29d608863bfef4d436441d6ffef190891a1334b009263630f4
Instruction Fuzzy Hash: 4DA13BF1108408EEE7299A3DAC9DEBB3F9DFBC6340F154709F102C6695CAA59D01E276

Function 005A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A304E: inet_addr.WSOCK32(?), ref: 005A307A
Part of subcall function 005A304E: _wcslen.LIBCMT ref: 005A309B

socket.WSOCK32(00000002,00000002,00000011), ref: 005A185D
WSAGetLastError.WSOCK32 ref: 005A1884
bind.WSOCK32(00000000,?,00000010), ref: 005A18DB
WSAGetLastError.WSOCK32 ref: 005A18E6
closesocket.WSOCK32(00000000), ref: 005A1915

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 21e2cb04f8068c5c7ed881454dcbb1f84c6179bc4df259438e3a3e4cd8358b4c
Instruction ID: dbcd311a1f9bf064e5d79897a0cffc6a0edc89682c73e4d6452d029cb232ce47
Opcode Fuzzy Hash: 21e2cb04f8068c5c7ed881454dcbb1f84c6179bc4df259438e3a3e4cd8358b4c
Instruction Fuzzy Hash: C451A175A002119FDB10AF24D88AF2A7FE5BF8A718F148458F9065F3C3D775AD418BA1

Function 005B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005B1CC0
IsWindowEnabled.USER32 ref: 005B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005B1CDB
IsIconic.USER32 ref: 005B1CE9
IsZoomed.USER32 ref: 005B1CF7

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9183b96e0b9d4d1930c6b7968c28fc136e136f8245f3df4c1c6f764dd3370c3c
Instruction ID: 2f2262fe1bebd193e2106e1ec08331f8c7593847d8a21730f4d7a46ebd52cc85
Opcode Fuzzy Hash: 9183b96e0b9d4d1930c6b7968c28fc136e136f8245f3df4c1c6f764dd3370c3c
Instruction Fuzzy Hash: 6B21D631740A115FD7608F1AC864BAA7FA5FF95314F588058E846CB351CB71FC42CB98

Function 00528060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0052843C
VUUU, xrefs: 00565DF0
VUUU, xrefs: 005283E8
VUUU, xrefs: 005283FA
ERCP, xrefs: 0052813C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6a98c377d146df82b8d4df7b7aff2916d9be258315c13b6292e4d31a0dff60de
Instruction ID: f84189122a6814540795e612f435b201461c49c04e4ec39bed028e98e7eef327
Opcode Fuzzy Hash: 6a98c377d146df82b8d4df7b7aff2916d9be258315c13b6292e4d31a0dff60de
Instruction Fuzzy Hash: 8EA29F74E0162ACBDF24CF98D8847BDBBB1BF55310F2485AAD815A7385EB709D81CB90

Function 00588298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005882AA

Strings

tb^, xrefs: 005884F4
(, xrefs: 005882F0
|, xrefs: 005882DA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb^$|
API String ID: 1659193697-2919713065
Opcode ID: 2525dcdf40ca768ede0785b85bb88c76de73eeb60177e612373cdaa7b73e47cc
Instruction ID: a0e797eaacda442ed6052325d63aaedd7f8e3a6496b188f058efb54f25828086
Opcode Fuzzy Hash: 2525dcdf40ca768ede0785b85bb88c76de73eeb60177e612373cdaa7b73e47cc
Instruction Fuzzy Hash: 0B324874A00605DFC728DF59C48196ABBF0FF48710B55C96EE89AEB3A1EB70E941CB40

Function 0058AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0058AAAC
SetKeyboardState.USER32(00000080), ref: 0058AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0058AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0058AB88

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4c2cecbf09c7c143cbce8c46db7861497f4dddb77986006488d93a9e904b09fa
Instruction ID: 97f2b8493bccd93bbecfee0a9e361739c94259280e9421e1c2df07416ad5a095
Opcode Fuzzy Hash: 4c2cecbf09c7c143cbce8c46db7861497f4dddb77986006488d93a9e904b09fa
Instruction Fuzzy Hash: 98312A30A40248AEFF35EB64CC05BFA7FAABB44311F04421BF881761D0D7759985D766

Function 0059CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0059CE89
GetLastError.KERNEL32(?,00000000), ref: 0059CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0059CEFE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 20f135920d2674f2e04c22c72d9526b0e74339ae369fad5fbba321eb06e9a075
Instruction ID: d93e32231076b748b17edfcdde169a9b4cf2e75910d84ba0c69b3bd540e6d73c
Opcode Fuzzy Hash: 20f135920d2674f2e04c22c72d9526b0e74339ae369fad5fbba321eb06e9a075
Instruction Fuzzy Hash: F521BAB1500705ABEB21CFA5C949BAABFFCFB50358F10482EE546D2151E770EE089B64

Function 00595C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00595CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00595D17
FindClose.KERNEL32(?), ref: 00595D5F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 97a51797a5c57e8a1c103a738763b6936222d220d66abe09783f1b8312bdb862
Instruction ID: 5f1d16ba30cc3cbbea40d40a1da659211dbacc6c659cc9222709c032547dc681
Opcode Fuzzy Hash: 97a51797a5c57e8a1c103a738763b6936222d220d66abe09783f1b8312bdb862
Instruction Fuzzy Hash: E2518B746047029FCB15CF28D498A9ABBE4FF4A314F14855DE99A8B3A2DB30FD14CB91

Function 00552622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0055271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00552724
UnhandledExceptionFilter.KERNEL32(?), ref: 00552731

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c42933428ec6f2c9e7df692ca5197d86cee94bf5f74b978a3279f54ca43372f2
Instruction ID: 8ceaecbb6f986dff374f0e2de2b60d202fcfa249452cfd93569a063368636637
Opcode Fuzzy Hash: c42933428ec6f2c9e7df692ca5197d86cee94bf5f74b978a3279f54ca43372f2
Instruction Fuzzy Hash: 0931D5749112299BCB21DF64DC88BDCBBB8BF18310F5046EAE80CA7261E7309F858F45

Function 005951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00595238
SetErrorMode.KERNEL32(00000000), ref: 005952A1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b692298865f49fbbdc4f2fe656fb316d2dded051229cf81c645c00ede65f5c04
Instruction ID: 5743c68438eb994fd05d7ec25d7dbb2178ce368ec922a2681aee6184727420f7
Opcode Fuzzy Hash: b692298865f49fbbdc4f2fe656fb316d2dded051229cf81c645c00ede65f5c04
Instruction Fuzzy Hash: 74313075A00519DFDB00DF54D888EADBFB4FF49314F088099E845AB392DB31E859CB90

Function 005816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0053FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00540668
Part of subcall function 0053FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00540685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
GetLastError.KERNEL32 ref: 0058174A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 446fc71f1d75209e71f79e6220bfd12602b1f092c5d972e3c345f236095a6305
Instruction ID: 48d4276cc81f6d741358fe1912d3e4c138c8983232b36b40f38fbdec5a5707d5
Opcode Fuzzy Hash: 446fc71f1d75209e71f79e6220bfd12602b1f092c5d972e3c345f236095a6305
Instruction Fuzzy Hash: 9F11C1B2800309AFD718AF54DC8AD6ABBBDFF44714B20852EF45697241EB70BC428B24

Function 0058D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0058D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0058D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0058D650

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4128b3dc7e5946bbe2c4a266521215dd271ea2ce4da70d1edc817b32bdf82221
Instruction ID: 27463f5c8fbc0ca1a08e2e06f4f330540175e3de79a445e5130624630b9ae9cf
Opcode Fuzzy Hash: 4128b3dc7e5946bbe2c4a266521215dd271ea2ce4da70d1edc817b32bdf82221
Instruction Fuzzy Hash: C7117C75E05228BBDB108F99AC45FAFBFBCEB45B50F108121F904F7290D2705A058BA1

Function 00581663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0058168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005816A1
FreeSid.ADVAPI32(?), ref: 005816B1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f08ef81f01e0f30bb337a305e26c3cb086f34915cae8c865f3ebfd543075a2c9
Instruction ID: 099d2c6982bcc3866ab4280089988402ccc7ddd7bdec06c0a1820e77c7046214
Opcode Fuzzy Hash: f08ef81f01e0f30bb337a305e26c3cb086f34915cae8c865f3ebfd543075a2c9
Instruction Fuzzy Hash: B9F0F47195030DFBEB00EFE49D89AAEBBBCFB08604F504565E901E2181E774AA489B64

Function 0055C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0055C36C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ef6700fda639a1833ecb9d0a4a1751f329842f8bbd86ed6b443d93300a4b53aa
Instruction ID: f613d724deb936510384b32ae3f3c9b7f65dc76bd5745008ba0653026a241147
Opcode Fuzzy Hash: ef6700fda639a1833ecb9d0a4a1751f329842f8bbd86ed6b443d93300a4b53aa
Instruction Fuzzy Hash: FF412676500319AFCB209FB9CC59DAB7FB8FB84316F50466AFD05C7180E6709D858B50

Function 0057D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0057D28C

Strings

X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 55a1f7998c889c0e145b9e44322e2e6ea59e07da1280ccb9978184d0d04acd94
Instruction ID: 5b79255bd5d54936a68d8db6b98bd36693e9f0e0e8edb3ba0820c96ecaa7ffd0
Opcode Fuzzy Hash: 55a1f7998c889c0e145b9e44322e2e6ea59e07da1280ccb9978184d0d04acd94
Instruction Fuzzy Hash: 09D0E9B581511DEBCB94DB90EC8CDDDBB7CBB14345F104656F506A2140DB7495499F20

Function 0054CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 298023b276c343e6f763899e538c1dcad4de91f1b049a0b49dd41e346fef65e3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 73021B71E012199BDF54CFA9C8806EDBFF5FF88318F258169D919EB280D731AE418B94

Function 0052CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00570C40
p#_, xrefs: 0052CF7F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#_
API String ID: 0-2852649800
Opcode ID: 4477008cf3604e5ff1f7e845615ed513c5bd1f3cc91a163136ba912413dc130d
Instruction ID: c8c53c734ec7038e037ac80836c7239124f725786ebe372e8709ed901d0e41b7
Opcode Fuzzy Hash: 4477008cf3604e5ff1f7e845615ed513c5bd1f3cc91a163136ba912413dc130d
Instruction Fuzzy Hash: AF32AE70900229DFCF14DF90E985AEDBFB9BF46304F108459E80AAB2C2D775AE45DB60

Function 005968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00596918
FindClose.KERNEL32(00000000), ref: 00596961

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 469148834dc9382723bb107a2b0a79d65ce5fd70e5e413222562c87b2c6aebdc
Instruction ID: 1e2b4b947334c53d22e574b1acfe0486ab57cb3e893953f9b8730f2c6b14bb35
Opcode Fuzzy Hash: 469148834dc9382723bb107a2b0a79d65ce5fd70e5e413222562c87b2c6aebdc
Instruction Fuzzy Hash: E6118E356042119FCB10DF29D488A1ABFE5FF89328F14C699E4698F7A2C730EC09CB91

Function 005937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005A4891,?,?,00000035,?), ref: 005937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005A4891,?,?,00000035,?), ref: 005937F4

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f4907163bf7f0781ba7a1a055082710496056564503905ed8c73eec060d1cba2
Instruction ID: a8503a44258d9f25ea16e360f9448f30ba142f3f96d9bfd7ff77a2837039a0c1
Opcode Fuzzy Hash: f4907163bf7f0781ba7a1a055082710496056564503905ed8c73eec060d1cba2
Instruction Fuzzy Hash: 5BF0E5B06042296AEB6057A69C4DFEB7FAEFFC5761F000275F509E2291D9609E08C6B0

Function 0058B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0058B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0058B270

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d643928a2fcb8f3fb0b5b9965800665e0a90fba68f349bf03904f7e01c9825a7
Instruction ID: ee25af8331d9e113681f61b01e7ab82fccf6657bbdfd78a46aec236d44d9ad39
Opcode Fuzzy Hash: d643928a2fcb8f3fb0b5b9965800665e0a90fba68f349bf03904f7e01c9825a7
Instruction Fuzzy Hash: D9F06D7480424DABEB059FA0C805BEE7FB4FF04305F008009F951A5191C37992059F98

Function 005810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005811FC), ref: 005810D4
CloseHandle.KERNEL32(?,?,005811FC), ref: 005810E9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 678768c54b481fd9eadb14c893276735c5f9171c5692621fdb5dd739b53fc9fc
Instruction ID: 624df70db57487e106c9027de9d5d1f343f993363273f19fe3e389bd8d162fcf
Opcode Fuzzy Hash: 678768c54b481fd9eadb14c893276735c5f9171c5692621fdb5dd739b53fc9fc
Instruction Fuzzy Hash: 4FE01A32408601AFE7652B11FC09E777BA9FB04310F10892DB4A5804B1DA626C90AB14

Function 0055676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00556766,?,?,00000008,?,?,0055FEFE,00000000), ref: 00556998

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: eb3fb4703aff2b4d2db4eab4be3c84e89942e350930c620dd26e3872dd276da1
Instruction ID: be0647259083dfc94fb39e1a660208a531e896f27706b15544469f9e19486d70
Opcode Fuzzy Hash: eb3fb4703aff2b4d2db4eab4be3c84e89942e350930c620dd26e3872dd276da1
Instruction Fuzzy Hash: 70B16931610648CFD714CF28C4AAB647FE0FF45366F698659E899CF2A2C335E989CB40

Function 0053B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0057851F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8d7092839258fdb065e7bc03a16b68e70d91003e84701a08c0ce4cc3c19d5db5
Instruction ID: a360b6c2368668ef327a14b7f3bea1a79f6ceda705ba80197359208c3035dae8
Opcode Fuzzy Hash: 8d7092839258fdb065e7bc03a16b68e70d91003e84701a08c0ce4cc3c19d5db5
Instruction Fuzzy Hash: F8127F759002299FDF24CF58D8846FEBBB5FF48310F14859AE949EB251EB309E81DB90

Function 0059EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0059EABD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: cd5d9427e47f368023d2b7db4f1f3a20df8993fc76e5ea886ee1bd6a6ab761b2
Instruction ID: bd3c33d94cf1a79872435995327a240dc82bea7900af0011da493ee611484129
Opcode Fuzzy Hash: cd5d9427e47f368023d2b7db4f1f3a20df8993fc76e5ea886ee1bd6a6ab761b2
Instruction Fuzzy Hash: 9BE01A312002159FD710EF59E809E9ABFEDBF99760F048426FC49CB3A1DA70A8418BA0

Function 005409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005403EE), ref: 005409DA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f1158fc07eb1971defa4271aa0591251f17acea7aeb70d35eb1b390729a938
Instruction ID: dc03e6309c38e32813b40e54b278447e0b8018a125b82aa77e8a720caa747d58
Opcode Fuzzy Hash: 72f1158fc07eb1971defa4271aa0591251f17acea7aeb70d35eb1b390729a938
Instruction Fuzzy Hash:

Function 0054781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0054798B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2982b3aee6f819efad9bb2ced9b726ebd9f251535f2dc336b059c0873ca29312
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF51787160C74E6BDB388568885E7FE2F99BB5E34CF180909D882D7282C715DE05D356

Function 00592046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&_, xrefs: 00592053

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: 0&_
API String ID: 0-3810587587
Opcode ID: 00f6d967899b69f22ba60262181f5b6c20b0547ce6a388906bb23abaa5f4fc89
Instruction ID: a00096c8e15a64b1a1d52556c034d31f393ad23b48284e4ac6825706b9206692
Opcode Fuzzy Hash: 00f6d967899b69f22ba60262181f5b6c20b0547ce6a388906bb23abaa5f4fc89
Instruction Fuzzy Hash: 7F21EB722605118BDB28CF79C81767E77E5B764310F14862EE4A7C33D0DE39A904D780

Function 00556DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d06863634491cb1e68ba55b75149067cc82f3668aa753b43277aa332053c6e
Instruction ID: 2324f523a7959630fb1543e23f0de0fbc41daabcc3fecb5a793f4795f2207e23
Opcode Fuzzy Hash: a0d06863634491cb1e68ba55b75149067cc82f3668aa753b43277aa332053c6e
Instruction Fuzzy Hash: B5321231D29F054ED7239634D8323356A8DAFBB3C6F15D737E81AB59A6EB28C4875100

Function 0053CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e9dd1a8b03e609aa2a575109a9db1c38f3760dbb4c7490d0898de98ab14caa
Instruction ID: 020ab6963242bbee3810b0a2cd9cc19c8f9d8f2c76e0d91ddc28d94e250b512c
Opcode Fuzzy Hash: b3e9dd1a8b03e609aa2a575109a9db1c38f3760dbb4c7490d0898de98ab14caa
Instruction Fuzzy Hash: 0232E431A001598BDF28CE29E4D467D7FA1FB45300F68C56ED8AEAB691D630DD82FB41

Function 00527920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918f5c54b5989f37c788391d0ca3ac77056d429453bffa5d1df48a5b47443186
Instruction ID: 2812b4b42a969531758c32d3af9f759225ddacead881b4b2cc9c16f4c7f91df1
Opcode Fuzzy Hash: 918f5c54b5989f37c788391d0ca3ac77056d429453bffa5d1df48a5b47443186
Instruction Fuzzy Hash: 8122C170A0061ADFDF14CF64D885AAEBBF5FF49300F244929E816AB291FB35AD54CB50

Function 005291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf91db4d5392bf3a2097002f47365b59872e1175eec3ab6449ddc348ffb255b
Instruction ID: 2f13ac7c6ac00a0b3265dbebec7ca7a1eebfd413d83c7a0c415e2f4537489168
Opcode Fuzzy Hash: 6cf91db4d5392bf3a2097002f47365b59872e1175eec3ab6449ddc348ffb255b
Instruction Fuzzy Hash: 2E02C8B4E00216EFDB04DF54D886AAEBFB5FF54304F108569E8069B391EB319E24DB91

Function 00559EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf049e9c0504f79c1b8a932efaae10b18a7e5d2f3f0a99ed7ff1f1f4819ba69
Instruction ID: 6e471997fa435aaefbdf470a08179afc0a77f1a3cff31598d5184f66e75d46f3
Opcode Fuzzy Hash: baf049e9c0504f79c1b8a932efaae10b18a7e5d2f3f0a99ed7ff1f1f4819ba69
Instruction Fuzzy Hash: 83B11520D2AF854DD32396398831336BA5CBFBB6D5F91DB1BFC1674D22EB2285879140

Function 00547A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d567c7d8081fdac1fe5f29c6e0ea78303345414c79f9ae39e4341439262b465
Instruction ID: 7fb82730e0bdb3e39c6da4c8e6a99491298fe8288bae887b1373956e7315f270
Opcode Fuzzy Hash: 9d567c7d8081fdac1fe5f29c6e0ea78303345414c79f9ae39e4341439262b465
Instruction Fuzzy Hash: D2617A71208B4E56DE389A288C99BFE3F94FF8D70CF140D19E982DB281E7119E42C355

Function 00547CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a34b32d45fdcb722971bd2f47f8287b7abffec7ce581d04742df61cf4ce0e2
Instruction ID: 905074da40bee7d6061ec089da29c9d1128ab8f855d328e43bcfdc14d6245009
Opcode Fuzzy Hash: b5a34b32d45fdcb722971bd2f47f8287b7abffec7ce581d04742df61cf4ce0e2
Instruction Fuzzy Hash: B4617B31A1874E66DE385A384859BFE2F98FF8E70CF100A59E943DB281D7129D428255

Function 005A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A2B30
DeleteObject.GDI32(00000000), ref: 005A2B43
DestroyWindow.USER32 ref: 005A2B52
GetDesktopWindow.USER32 ref: 005A2B6D
GetWindowRect.USER32(00000000), ref: 005A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2CF8
GetClientRect.USER32(00000000,?), ref: 005A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D80
GlobalLock.KERNEL32(00000000), ref: 005A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D98
GlobalUnlock.KERNEL32(00000000), ref: 005A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2DA8
GlobalFree.KERNEL32(00000000), ref: 005A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005BFC38,00000000), ref: 005A2DDB
GlobalFree.KERNEL32(00000000), ref: 005A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A303F

Strings

AutoIt v3, xrefs: 005A2CF2
static, xrefs: 005A2D3A, 005A2E91
DISPLAY, xrefs: 005A2EA2
, xrefs: 005A2FC5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ce2162083dfa7dc74e2bd0e2034ca7a43e71eead069cf4dc82d25ab8ca4a1458
Instruction ID: 2c3951be3dd0f21bc57b104fc96809edb3c23ace9ad10c020b00858bcd6c1ccb
Opcode Fuzzy Hash: ce2162083dfa7dc74e2bd0e2034ca7a43e71eead069cf4dc82d25ab8ca4a1458
Instruction Fuzzy Hash: D8027C71A00219AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB34AD05DB64

Function 005B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005B712F
GetSysColorBrush.USER32(0000000F), ref: 005B7160
GetSysColor.USER32(0000000F), ref: 005B716C
SetBkColor.GDI32(?,000000FF), ref: 005B7186
SelectObject.GDI32(?,?), ref: 005B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005B71C0
GetSysColor.USER32(00000010), ref: 005B71C8
CreateSolidBrush.GDI32(00000000), ref: 005B71CF
FrameRect.USER32(?,?,00000000), ref: 005B71DE
DeleteObject.GDI32(00000000), ref: 005B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005B7230
FillRect.USER32(?,?,?), ref: 005B7262
GetWindowLongW.USER32(?,000000F0), ref: 005B7284

Part of subcall function 005B73E8: GetSysColor.USER32(00000012), ref: 005B7421
Part of subcall function 005B73E8: SetTextColor.GDI32(?,?), ref: 005B7425
Part of subcall function 005B73E8: GetSysColorBrush.USER32(0000000F), ref: 005B743B
Part of subcall function 005B73E8: GetSysColor.USER32(0000000F), ref: 005B7446
Part of subcall function 005B73E8: GetSysColor.USER32(00000011), ref: 005B7463
Part of subcall function 005B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005B7471
Part of subcall function 005B73E8: SelectObject.GDI32(?,00000000), ref: 005B7482
Part of subcall function 005B73E8: SetBkColor.GDI32(?,00000000), ref: 005B748B
Part of subcall function 005B73E8: SelectObject.GDI32(?,?), ref: 005B7498
Part of subcall function 005B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005B74B7
Part of subcall function 005B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005B74CE
Part of subcall function 005B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005B74DB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 52bb61c8ed8dc2344531ea1e9093a79e5e064c44f56db67b8e02ffe3238a9a40
Instruction ID: dfd72859a4bc2c3b87a1a0bc421368f5ba2c8d214a1fb85b0df507dc4ec7d098
Opcode Fuzzy Hash: 52bb61c8ed8dc2344531ea1e9093a79e5e064c44f56db67b8e02ffe3238a9a40
Instruction Fuzzy Hash: CCA1A172008305AFD7509F64DC48E9BBFA9FB98320F100B19F9A2A61E1D771F948DB65

Function 005A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005A2900
GetClientRect.USER32(00000000,?), ref: 005A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005A2964
GetStockObject.GDI32(00000011), ref: 005A2974
SelectObject.GDI32(00000000,00000000), ref: 005A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2991
DeleteDC.GDI32(00000000), ref: 005A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 005A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005A2A77
GetStockObject.GDI32(00000011), ref: 005A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005A2A97

Strings

AutoIt v3, xrefs: 005A28F8
msctls_progress32, xrefs: 005A2A13
static, xrefs: 005A294F, 005A2A71
DISPLAY, xrefs: 005A295A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f0d54542eb1fe6ececb123009688fbac67c3ef93c0c6ca177e9d3cabf9e52eba
Instruction ID: a9973679f0b774082835b011bcb2cdfe62a60b78c1806c4bbf7af0b22bd321a8
Opcode Fuzzy Hash: f0d54542eb1fe6ececb123009688fbac67c3ef93c0c6ca177e9d3cabf9e52eba
Instruction Fuzzy Hash: E3B16A71A00219AFEB14DF68DC4AEAE7BA9FF59710F008614F915EB2D0D774AD04CBA4

Function 00594ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00594AED
GetDriveTypeW.KERNEL32(?,005BCB68,?,\\.\,005BCC08), ref: 00594BCA
SetErrorMode.KERNEL32(00000000,005BCB68,?,\\.\,005BCC08), ref: 00594D36

Strings

RAID, xrefs: 00594CBB
ATAPI, xrefs: 00594C91
SSD, xrefs: 00594C4A
CDROM, xrefs: 00594BFB
RAMDisk, xrefs: 00594BF4
SAS, xrefs: 00594CC9
ATA, xrefs: 00594C98
Fixed, xrefs: 00594C09
PhysicalDrive, xrefs: 00594B76
Fibre, xrefs: 00594CAD
SSA, xrefs: 00594CA6
Unknown, xrefs: 00594BED, 00594C83
Removable, xrefs: 00594C10, 00594C15
Network, xrefs: 00594C02
MMC, xrefs: 00594CDE
SATA, xrefs: 00594CD0
\\.\, xrefs: 00594B3F
FileBackedVirtual, xrefs: 00594CEC
SCSI, xrefs: 00594C8A
Virtual, xrefs: 00594CE5
1394, xrefs: 00594C9F
USB, xrefs: 00594CB4
iSCSI, xrefs: 00594CC2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d8e1fe4451ad5dc0b667206531c51961dc0154d8694f3db25c765c17a8327974
Instruction ID: ba51c39b65af41576096fc1b75fb8ba0ddecda04127f5b6daa2c4f8ceb34e212
Opcode Fuzzy Hash: d8e1fe4451ad5dc0b667206531c51961dc0154d8694f3db25c765c17a8327974
Instruction Fuzzy Hash: 2661BE3060524A9FCF08DF25CA86D6CBFA1BF59380B248865F846AB291DB31ED42DF51

Function 005B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005B7421
SetTextColor.GDI32(?,?), ref: 005B7425
GetSysColorBrush.USER32(0000000F), ref: 005B743B
GetSysColor.USER32(0000000F), ref: 005B7446
CreateSolidBrush.GDI32(?), ref: 005B744B
GetSysColor.USER32(00000011), ref: 005B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005B7471
SelectObject.GDI32(?,00000000), ref: 005B7482
SetBkColor.GDI32(?,00000000), ref: 005B748B
SelectObject.GDI32(?,?), ref: 005B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005B7572
DrawFocusRect.USER32(?,?), ref: 005B757D
GetSysColor.USER32(00000011), ref: 005B758E
SetTextColor.GDI32(?,00000000), ref: 005B7596
DrawTextW.USER32(?,005B70F5,000000FF,?,00000000), ref: 005B75A8
SelectObject.GDI32(?,?), ref: 005B75BF
DeleteObject.GDI32(?), ref: 005B75CA
SelectObject.GDI32(?,?), ref: 005B75D0
DeleteObject.GDI32(?), ref: 005B75D5
SetTextColor.GDI32(?,?), ref: 005B75DB
SetBkColor.GDI32(?,?), ref: 005B75E5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5571707a6ad1b0a17bd077c3bdbea229b49f6fcafd299de97cef8930b1612557
Instruction ID: f076fec701beaeb5971547e490161bbb73e7f2a14006bea10f7103425d2497a9
Opcode Fuzzy Hash: 5571707a6ad1b0a17bd077c3bdbea229b49f6fcafd299de97cef8930b1612557
Instruction Fuzzy Hash: 62616C72904218AFDF119FA8DC49EEE7FB9FB48320F104615F911BB2A1D770A940DBA4

Function 005B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005B1128
GetDesktopWindow.USER32 ref: 005B113D
GetWindowRect.USER32(00000000), ref: 005B1144
GetWindowLongW.USER32(?,000000F0), ref: 005B1199
DestroyWindow.USER32(?), ref: 005B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005B1245
IsWindowVisible.USER32(00000000), ref: 005B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005B12D0
GetWindowRect.USER32(00000000,?), ref: 005B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005B130E
GetMonitorInfoW.USER32(00000000,?), ref: 005B1328
CopyRect.USER32(?,?), ref: 005B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005B13AA

Strings

(, xrefs: 005B131B
tooltips_class32, xrefs: 005B11E6
0, xrefs: 005B10D3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 693ae75bde8b9d26c01a42c394a4ff69b6364b28267722287aaddfb53d878005
Instruction ID: ad7a001b89a9d765bfe923ba2a374a46a8dea9575490f6de79989fb334cb6cf4
Opcode Fuzzy Hash: 693ae75bde8b9d26c01a42c394a4ff69b6364b28267722287aaddfb53d878005
Instruction Fuzzy Hash: 81B1AD71608751AFD740DF68C898BAABFE4FF89340F408918F9999B2A1D731E844CB95

Function 005B0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005B02E5
_wcslen.LIBCMT ref: 005B031F
_wcslen.LIBCMT ref: 005B0389
_wcslen.LIBCMT ref: 005B03F1
_wcslen.LIBCMT ref: 005B0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005B04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005B0504

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

Part of subcall function 0058223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00582258
Part of subcall function 0058223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0058228A

Strings

GETSELECTED, xrefs: 005B05E1
GETSELECTEDCOUNT, xrefs: 005B0470, 005B048B
DESELECT, xrefs: 005B059C
SELECTINVERT, xrefs: 005B057E
VIEWCHANGE, xrefs: 005B0675
GETITEMCOUNT, xrefs: 005B0316, 005B0337
SELECTCLEAR, xrefs: 005B052D
ISSELECTED, xrefs: 005B04DD
FINDITEM, xrefs: 005B0627
SELECTALL, xrefs: 005B0515
GETTEXT, xrefs: 005B03EC, 005B0407
GETSUBITEMCOUNT, xrefs: 005B0384, 005B039F
SELECT, xrefs: 005B0548

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: fb46f4b8ab9c4159a0d278755d6fd90a6fc02be4de14406f6c90cd67c5109314
Instruction ID: 453b4f79a54f778cfb8f4a119d6963fdd0ad38851d1312f3720eafac3e959745
Opcode Fuzzy Hash: fb46f4b8ab9c4159a0d278755d6fd90a6fc02be4de14406f6c90cd67c5109314
Instruction Fuzzy Hash: B6E1AC312082129FCB14DF24C5559ABBBE6BFC8314F145A6CF896AB2E1DB30ED46CB51

Function 00538891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00538968
GetSystemMetrics.USER32(00000007), ref: 00538970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0053899B
GetSystemMetrics.USER32(00000008), ref: 005389A3
GetSystemMetrics.USER32(00000004), ref: 005389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00538A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00538A3C
GetClientRect.USER32(00000000,000000FF), ref: 00538A5A
GetStockObject.GDI32(00000011), ref: 00538A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00538A81

Part of subcall function 0053912D: GetCursorPos.USER32(?), ref: 00539141
Part of subcall function 0053912D: ScreenToClient.USER32(00000000,?), ref: 0053915E
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000001), ref: 00539183
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000002), ref: 0053919D

SetTimer.USER32(00000000,00000000,00000028,005390FC), ref: 00538AA8

Strings

AutoIt v3 GUI, xrefs: 00538A20

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e486f8ac2e6b4a9341a603d8b3367db20d028bc8bf776b9d9a1c3c28f0697f50
Instruction ID: 352198b9ed8420b4fe11306c5ed09fcf0fd691a81a0fcf80c7ac2a617f4870c9
Opcode Fuzzy Hash: e486f8ac2e6b4a9341a603d8b3367db20d028bc8bf776b9d9a1c3c28f0697f50
Instruction Fuzzy Hash: 12B18A71A0020ADFDB18DFA8DD49BAA7FB4FB48314F104229FA15E7290DB74A804DB55

Function 00580D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
Part of subcall function 005810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
Part of subcall function 005810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
Part of subcall function 005810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00580DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00580E29
GetLengthSid.ADVAPI32(?), ref: 00580E40
GetAce.ADVAPI32(?,00000000,?), ref: 00580E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00580E96
GetLengthSid.ADVAPI32(?), ref: 00580EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00580EB5
HeapAlloc.KERNEL32(00000000), ref: 00580EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00580EDD
CopySid.ADVAPI32(00000000), ref: 00580EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00580F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00580F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00580F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F6E
HeapFree.KERNEL32(00000000), ref: 00580F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F7E
HeapFree.KERNEL32(00000000), ref: 00580F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F8E
HeapFree.KERNEL32(00000000), ref: 00580F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00580FA1
HeapFree.KERNEL32(00000000), ref: 00580FA8

Part of subcall function 00581193: GetProcessHeap.KERNEL32(00000008,00580BB1,?,00000000,?,00580BB1,?), ref: 005811A1
Part of subcall function 00581193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00580BB1,?), ref: 005811A8
Part of subcall function 00581193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00580BB1,?), ref: 005811B7

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: db11af365062c8685e74e6c21589269d39d390c999fcec63a6aa7b5d5746fb3d
Instruction ID: 49a2cfdd0abf50f395599c9f0b2c30843095be69f42a84f99d392db19d4efe28
Opcode Fuzzy Hash: db11af365062c8685e74e6c21589269d39d390c999fcec63a6aa7b5d5746fb3d
Instruction Fuzzy Hash: 34715E7190020AEBDF60AFA4DC48FAEBFB8BF14340F148215FA19B6191D731A909CB60

Function 005AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005BCC08,00000000,?,00000000,?,?), ref: 005AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005AC5A4
_wcslen.LIBCMT ref: 005AC5F4
_wcslen.LIBCMT ref: 005AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005AC84D
RegCloseKey.ADVAPI32(?), ref: 005AC881
RegCloseKey.ADVAPI32(00000000), ref: 005AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005AC960

Strings

REG_MULTI_SZ, xrefs: 005AC6F5
REG_BINARY, xrefs: 005AC913
REG_QWORD, xrefs: 005AC8C3
REG_EXPAND_SZ, xrefs: 005AC5CD
REG_SZ, xrefs: 005AC644
REG_DWORD, xrefs: 005AC804

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: df58971c78f9c3b89a6e1abb8d059e2aa7387e2c09fc59d8ca4fc69903df1375
Instruction ID: 63966215606ba9e1b5d251bc80adb1cab06c4611521bfd1f7f59b8729e80008b
Opcode Fuzzy Hash: df58971c78f9c3b89a6e1abb8d059e2aa7387e2c09fc59d8ca4fc69903df1375
Instruction Fuzzy Hash: D31256356042129FDB14DF14D885A2ABFE5FF8A714F04885CF88A9B3A2DB31EC45CB85

Function 005B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005B09C6
_wcslen.LIBCMT ref: 005B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005B0A54
_wcslen.LIBCMT ref: 005B0A8A
_wcslen.LIBCMT ref: 005B0B06
_wcslen.LIBCMT ref: 005B0B81

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

Part of subcall function 00582BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00582BFA

Strings

GETTOTALCOUNT, xrefs: 005B09F2, 005B0A17
GETSELECTED, xrefs: 005B0C4E
EXISTS, xrefs: 005B0B7C, 005B0B97
GETITEMCOUNT, xrefs: 005B0C1E
ISCHECKED, xrefs: 005B0CE1
EXPAND, xrefs: 005B0BF8
COLLAPSE, xrefs: 005B0B01, 005B0B1C
CHECK, xrefs: 005B0A85, 005B0AA0
GETTEXT, xrefs: 005B0C97
UNCHECK, xrefs: 005B0D3E
SELECT, xrefs: 005B0D11

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1d0be9f5eb42bebee51bc21fcf6f470bc7202b5905f6122f3dafdd545122a632
Instruction ID: 5211971806af79e3e071a8c6e0f7fff2a57951369ce346312df32d4e8517dfa3
Opcode Fuzzy Hash: 1d0be9f5eb42bebee51bc21fcf6f470bc7202b5905f6122f3dafdd545122a632
Instruction Fuzzy Hash: C5E167322083529FC714EF25C4509AABFE1BF99314F14895DE896AB3A2DB31FD45CB81

Function 005AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
_wcslen.LIBCMT ref: 005AC9F1
_wcslen.LIBCMT ref: 005ACA68
_wcslen.LIBCMT ref: 005ACA9E
_wcslen.LIBCMT ref: 005ACAF9
_wcslen.LIBCMT ref: 005ACB2F
_wcslen.LIBCMT ref: 005ACB7F

Strings

HKCR, xrefs: 005ACB29, 005ACB2E
HKEY_CURRENT_USER, xrefs: 005ACBBD
HKLM, xrefs: 005ACA98, 005ACA9D
HKEY_LOCAL_MACHINE, xrefs: 005ACA62, 005ACA67
HKEY_CURRENT_CONFIG, xrefs: 005ACB79, 005ACB7E
HKCU, xrefs: 005ACBCE
HKEY_CLASSES_ROOT, xrefs: 005ACAF3, 005ACAF8
HKCC, xrefs: 005ACBAC
HKU, xrefs: 005ACBF0
HKEY_USERS, xrefs: 005ACBDF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 52c84e28344566e9b5bb71cf4710eb619880887b2a2cda01c8a503b7b526c82d
Instruction ID: 0be6c30190f02a51874b6cc8a2cc55e7aa23a1ab19da7143239e42d455a2f11f
Opcode Fuzzy Hash: 52c84e28344566e9b5bb71cf4710eb619880887b2a2cda01c8a503b7b526c82d
Instruction Fuzzy Hash: F571E433A0016F8BCB20DE7CD9516BE3F91BFA6764F550524F8669B284EA31CD85C7A0

Function 005B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B835A
_wcslen.LIBCMT ref: 005B836E
_wcslen.LIBCMT ref: 005B8391
_wcslen.LIBCMT ref: 005B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005B5BF2), ref: 005B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005B8501
FreeLibrary.KERNEL32(?), ref: 005B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005B851D
DestroyIcon.USER32(?,?,?,?,?,005B5BF2), ref: 005B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005B8555

Strings

.exe, xrefs: 005B8388
.dll, xrefs: 005B83AB
.icl, xrefs: 005B8368

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b6a13dc0bd8bf5802df5a61c7fd99ae66a44ed87dd4d311b9d92e2086b3c65c4
Instruction ID: c164989393829e5048ebf89f464fc8f503c802a6806ef400fd0de65c45d7fb81
Opcode Fuzzy Hash: b6a13dc0bd8bf5802df5a61c7fd99ae66a44ed87dd4d311b9d92e2086b3c65c4
Instruction Fuzzy Hash: 6261CD7154061ABAEB24DF64CC85BFE7FACBB48711F104609F815D61D1EB74A980DBA0

Function 00527778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 005278ED
#OnAutoItStartRegister, xrefs: 00527817
Cannot parse #include, xrefs: 00565279
Unterminated group of comments, xrefs: 0056528C
", xrefs: 00565153
Bad directive syntax error, xrefs: 0056519A
', xrefs: 00565169
#notrayicon, xrefs: 005277E7
#requireadmin, xrefs: 005277FF
#include-once, xrefs: 0052782F
#comments-end, xrefs: 005278D9
#include, xrefs: 00527847
#pragma compile, xrefs: 005277D3
#comments-start, xrefs: 0052785F, 005278B1
#cs, xrefs: 00527873, 005278C5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: bae01f2a03cde7713faec085f7c8aeea57d44262a675fde80074c7ed97498a01
Instruction ID: 76f2c59f9bad8b050629d835abab51411cbe8a80bb2d48592f833afa63282138
Opcode Fuzzy Hash: bae01f2a03cde7713faec085f7c8aeea57d44262a675fde80074c7ed97498a01
Instruction Fuzzy Hash: A181D67164461AABDB24AF61DC46FEE3F68FF9A300F044424F905AB1D2EB70D951C791

Function 00593E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00593EF8
_wcslen.LIBCMT ref: 00593F03
_wcslen.LIBCMT ref: 00593F5A
_wcslen.LIBCMT ref: 00593F98
GetDriveTypeW.KERNEL32(?), ref: 00593FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0059401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00594059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00594087

Strings

wait, xrefs: 00594044
set cd door , xrefs: 00594028
open, xrefs: 00593F54, 00593F59
type cdaudio alias cd wait, xrefs: 00594001
close, xrefs: 00593EFE, 00593F18
open , xrefs: 00593FE5
close cd wait, xrefs: 00594072
closed, xrefs: 00593F08, 00593F2D, 00593F46, 00593F7E, 00593F97

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: c8b0d543d66b1aae9c0337e650bce12a9b4fd976873ef165626ef67022244a75
Instruction ID: dd428a361e6ea1eaf9315f3ef9fdcb35c9711541ea6028317e2b21c01a0022ef
Opcode Fuzzy Hash: c8b0d543d66b1aae9c0337e650bce12a9b4fd976873ef165626ef67022244a75
Instruction Fuzzy Hash: DF71D2326042129FCB10DF24C88596ABFF4FFA9794F10492DF89597291EB34ED46CB91

Function 00585A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00585A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00585A40
SetWindowTextW.USER32(?,?), ref: 00585A57
GetDlgItem.USER32(?,000003EA), ref: 00585A6C
SetWindowTextW.USER32(00000000,?), ref: 00585A72
GetDlgItem.USER32(?,000003E9), ref: 00585A82
SetWindowTextW.USER32(00000000,?), ref: 00585A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00585AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00585AC3
GetWindowRect.USER32(?,?), ref: 00585ACC
_wcslen.LIBCMT ref: 00585B33
SetWindowTextW.USER32(?,?), ref: 00585B6F
GetDesktopWindow.USER32 ref: 00585B75
GetWindowRect.USER32(00000000), ref: 00585B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00585BD3
GetClientRect.USER32(?,?), ref: 00585BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00585C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00585C2F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: cba2bc3cf96a9597907906456712a7b0e2c6aa41433c63d1751c0e17a26d23d9
Instruction ID: fd2cde1c786b715db5320a9a3a25d98738de1649978dd0d8de947eaf4eded576
Opcode Fuzzy Hash: cba2bc3cf96a9597907906456712a7b0e2c6aa41433c63d1751c0e17a26d23d9
Instruction Fuzzy Hash: 1E717E31900B05AFDB20EFA8CD85AAEBFF5FF58705F100A18E582B65A0E775A904CB14

Function 0059FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0059FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0059FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0059FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0059FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0059FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0059FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0059FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0059FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0059FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0059FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0059FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0059FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0059FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0059FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0059FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0059FECC
GetCursorInfo.USER32(?), ref: 0059FEDC
GetLastError.KERNEL32 ref: 0059FF1E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: cd7471ad50cd223a1185ca745022afa97905da4e24835aaed49ea1b9735c4de1
Instruction ID: 18b3e0b97b35fbabd4ef08262f4181030d1202e06f6bab7426947dc936e3efb9
Opcode Fuzzy Hash: cd7471ad50cd223a1185ca745022afa97905da4e24835aaed49ea1b9735c4de1
Instruction Fuzzy Hash: FE4142B0D08319AADB10DFBA8C8985EBFE8FF44754B50452AE11DE7281DB78A901CF91

Function 005830F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058318D
_wcslen.LIBCMT ref: 005831F8

Strings

INSTANCE, xrefs: 00583453
NAME, xrefs: 00583335, 00583346
CLASSNN, xrefs: 005831F3, 00583204
[^, xrefs: 0058339A
CLASS, xrefs: 00583188, 005831A5
REGEXPCLASS, xrefs: 00583255, 00583266
TEXT, xrefs: 0058347C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[^
API String ID: 176396367-1827482509
Opcode ID: 21d4dec13860e830e166b918f6833d6d22d81acbf34b84fb547fb31d75c78813
Instruction ID: ab4b3a5451981d0745c986fb33c9d8c386e19054b36901730f9042f7bfb42a6e
Opcode Fuzzy Hash: 21d4dec13860e830e166b918f6833d6d22d81acbf34b84fb547fb31d75c78813
Instruction Fuzzy Hash: C1E10532A00516ABCF18AF68C4557EEBFB4BF44B10F548529EC56B7250EF30AE85CB90

Function 005B911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DragQueryPoint.SHELL32(?,?), ref: 005B9147

Part of subcall function 005B7674: ClientToScreen.USER32(?,?), ref: 005B769A
Part of subcall function 005B7674: GetWindowRect.USER32(?,?), ref: 005B7710
Part of subcall function 005B7674: PtInRect.USER32(?,?,005B8B89), ref: 005B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005B9277
DragFinish.SHELL32(?), ref: 005B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005B9371

Strings

@GUI_DRAGFILE, xrefs: 005B9320
@GUI_DRAGID, xrefs: 005B92E9
@GUI_DROPID, xrefs: 005B929E
(_, xrefs: 005B917D, 005B91EA
p#_, xrefs: 005B92BB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: (_$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#_
API String ID: 221274066-3700274038
Opcode ID: b7838d261d7fcf359ec21f5e802a631f15b94d058a00dd47478816f253c18d85
Instruction ID: a76bf8bf10aa50ce71026e87306f5ac17487733a4c6aa5aafbc3ae2667378b84
Opcode Fuzzy Hash: b7838d261d7fcf359ec21f5e802a631f15b94d058a00dd47478816f253c18d85
Instruction Fuzzy Hash: 90615971108302AFC701DF54D889DAFBFE8FFD9750F000A2DB595962A1DB70AA49CB52

Function 005400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005400C6

Part of subcall function 005400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005F070C,00000FA0,F0E46881,?,?,?,?,005623B3,000000FF), ref: 0054011C
Part of subcall function 005400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005623B3,000000FF), ref: 00540127
Part of subcall function 005400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005623B3,000000FF), ref: 00540138
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0054014E
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0054015C
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0054016A
Part of subcall function 005400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00540195
Part of subcall function 005400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005401A0

___scrt_fastfail.LIBCMT ref: 005400E7

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

Strings

kernel32.dll, xrefs: 00540133
WakeAllConditionVariable, xrefs: 00540162
SleepConditionVariableCS, xrefs: 00540154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00540122
InitializeConditionVariable, xrefs: 00540148

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c287ee41e94982f25675a3ae7e293ce71d55b610a7c2df6c30a3e0e12fe7b60d
Instruction ID: caa8a16a9d47f7d4c60fdd9cd95f93320756fa1b53cf21b8a83a31c8a2143d36
Opcode Fuzzy Hash: c287ee41e94982f25675a3ae7e293ce71d55b610a7c2df6c30a3e0e12fe7b60d
Instruction Fuzzy Hash: 5B214932A417116FD7106B68AC49BAA3F98FB54B64F242225FA01E72D2DB74A800DB94

Function 005944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005BCC08), ref: 00594527
_wcslen.LIBCMT ref: 0059453B
_wcslen.LIBCMT ref: 00594599
_wcslen.LIBCMT ref: 005945F4
_wcslen.LIBCMT ref: 0059463F
_wcslen.LIBCMT ref: 005946A7

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

GetDriveTypeW.KERNEL32(?,005E6BF0,00000061), ref: 00594743

Strings

removable, xrefs: 005945EA, 005945EF
unknown, xrefs: 00594708
fixed, xrefs: 00594635, 0059463A
all, xrefs: 00594531, 00594536
network, xrefs: 0059469D, 005946A2
ramdisk, xrefs: 005946F1
cdrom, xrefs: 0059458F, 00594594

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 591d6d1573fcaa7f3d7e078e6f519b4de3201a010fb253076e46c28126626fc8
Instruction ID: 73b6e40eb443089a189fd331268c50cbfca13d5cd11cdbfc8bd044c1c3015ecf
Opcode Fuzzy Hash: 591d6d1573fcaa7f3d7e078e6f519b4de3201a010fb253076e46c28126626fc8
Instruction Fuzzy Hash: FDB1DC716083129BCB14DF28D890E6ABFE5BFA6760F50491DF49687291E730DC46CBA2

Function 005B6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 005B6DEB

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B6E94
DestroyWindow.USER32(?), ref: 005B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00520000,00000000), ref: 005B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B6EFD
GetDesktopWindow.USER32 ref: 005B6F16
GetWindowRect.USER32(00000000), ref: 005B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005B6F4D

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

Strings

0, xrefs: 005B6D98
tooltips_class32, xrefs: 005B6E58, 005B6EDD
(_, xrefs: 005B6D0F, 005B6DCF, 005B6DF1, 005B6E04

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: (_$0$tooltips_class32
API String ID: 2429346358-3596104775
Opcode ID: c5fdb71e58b1809ec79c718ba2c4049880d1d7b08a9e8451ca34b8096445f2c9
Instruction ID: df2dd869ae27be342da8459332f9959d6adaab1318bfac590141ecd2bd411d94
Opcode Fuzzy Hash: c5fdb71e58b1809ec79c718ba2c4049880d1d7b08a9e8451ca34b8096445f2c9
Instruction Fuzzy Hash: C6716675504244AFDB21CF28DC88EBABFE9FB99304F04091DF9898B261C778E909DB15

Function 0052326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005F1990), ref: 00562F8D
GetMenuItemCount.USER32(005F1990), ref: 0056303D
GetCursorPos.USER32(?), ref: 00563081
SetForegroundWindow.USER32(00000000), ref: 0056308A
TrackPopupMenuEx.USER32(005F1990,00000000,?,00000000,00000000,00000000), ref: 0056309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005630A9

Strings

0, xrefs: 0052327D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: aa2c36b913e0bf9809a9966857556b57b6ab784ba0d584ac1469c533cbfd520d
Instruction ID: 280cb651e4f26c6e45535760c72d52d79777e9825e73a1de3fa60c091d923d77
Opcode Fuzzy Hash: aa2c36b913e0bf9809a9966857556b57b6ab784ba0d584ac1469c533cbfd520d
Instruction Fuzzy Hash: F0710631640616BEEB219F64DC4AFAAFF69FF05324F204216F524AB1E1C7B1AD14DB90

Function 00538BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00538F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00538BE8,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 00538FC5

DestroyWindow.USER32(?), ref: 00538C81
KillTimer.USER32(00000000,?,?,?,?,00538BBA,00000000,?), ref: 00538D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00576973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 005769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 005769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000), ref: 005769D4
DeleteObject.GDI32(00000000), ref: 005769E6

Strings

(_, xrefs: 00538C06

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: (_
API String ID: 641708696-3503187703
Opcode ID: 40c4516055f12a3deebd18453a8b0b695c71d44df83c45049b6b4a4a779adad8
Instruction ID: 89a087a2b2e700f6aba75268a8ccf13bbf28433e575e6a64535fd6ba65e53bbc
Opcode Fuzzy Hash: 40c4516055f12a3deebd18453a8b0b695c71d44df83c45049b6b4a4a779adad8
Instruction Fuzzy Hash: 0A618B30502B05DFCB299F25DA48B397FF1FB60312F149918E0469B560CB75AD88EBA8

Function 0059C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0059C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0059C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0059C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0059C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0059C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0059C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0059C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0059C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0059C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0059C5F0
InternetCloseHandle.WININET(00000000), ref: 0059C5FB

Strings

, xrefs: 0059C575

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b9381f8a2f1cdfa007d7dcdcade7b04004bc2d4341827318b8f25ed959953478
Instruction ID: ee7b8796849c4dbf1697cfe32b0a0d7dad14b59c4488825c1ff8a529145ec048
Opcode Fuzzy Hash: b9381f8a2f1cdfa007d7dcdcade7b04004bc2d4341827318b8f25ed959953478
Instruction Fuzzy Hash: 70514AB1600209BFEF218F65C988AAB7FFCFF59754F004519F94696250EB34E948AB60

Function 00539838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

GetSysColor.USER32(0000000F), ref: 00539862

Strings

(_, xrefs: 0053987C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID: (_
API String ID: 259745315-3503187703
Opcode ID: 1c90466e8c6b4c9e2c82efa7add4d1a3827a9f4da976d0152dc79624fca5e4ad
Instruction ID: e05cc25274b457ef2075a9dd40c8db3e3bf61d992059d17c178a314038d694c0
Opcode Fuzzy Hash: 1c90466e8c6b4c9e2c82efa7add4d1a3827a9f4da976d0152dc79624fca5e4ad
Instruction Fuzzy Hash: 7E41C471104644AFDB205F3CAC88BBA7F65FB96330F144645F9A2972E1D7B19C42EB60

Function 005B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005B8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85BA
GlobalLock.KERNEL32(00000000), ref: 005B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85D7
GlobalUnlock.KERNEL32(00000000), ref: 005B85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005B85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005BFC38,?), ref: 005B8611
GlobalFree.KERNEL32(00000000), ref: 005B8621
GetObjectW.GDI32(?,00000018,?), ref: 005B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005B8671
DeleteObject.GDI32(?), ref: 005B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005B86AF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 079d1dde11912189af38c55ed5a9c15b951201ea48157f0926924cfa9411a047
Instruction ID: b9d3c6b1398fb4df538e0b6ebec8854ab7efaac396244f4a5e8942896ecfdcb2
Opcode Fuzzy Hash: 079d1dde11912189af38c55ed5a9c15b951201ea48157f0926924cfa9411a047
Instruction Fuzzy Hash: A0411875600209BFDB519FA9CC48EAABFBCFB99711F104158F905E72A0DB30A905DB24

Function 005914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00591502
VariantCopy.OLEAUT32(?,?), ref: 0059150B
VariantClear.OLEAUT32(?), ref: 00591517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00591657
VariantInit.OLEAUT32(?), ref: 00591708
SysFreeString.OLEAUT32(?), ref: 0059178C
VariantClear.OLEAUT32(?), ref: 005917D8
VariantClear.OLEAUT32(?), ref: 005917E7
VariantInit.OLEAUT32(00000000), ref: 00591823

Strings

Default, xrefs: 005916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00591625

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9a80a74f9fc8d6cc1f9788096f1eaf9757a8c6a966f91f7a944f659a4e3bb7a3
Instruction ID: 2a06961bc0d35a6ce3085be820ca9863c11358473af2b3436fc1dc2520dd01d6
Opcode Fuzzy Hash: 9a80a74f9fc8d6cc1f9788096f1eaf9757a8c6a966f91f7a944f659a4e3bb7a3
Instruction Fuzzy Hash: C7D1ED71A00927DBDF009F65E888B79BFB5FF85700F128856E446AB290DB30EC45DB65

Function 005AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 005AB80A
RegCloseKey.ADVAPI32(?), ref: 005AB87E
RegCloseKey.ADVAPI32(?), ref: 005AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 005AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 005AB922
FreeLibrary.KERNEL32(00000000), ref: 005AB983
RegCloseKey.ADVAPI32(00000000), ref: 005AB994

Strings

RegDeleteKeyExW, xrefs: 005AB8FE
advapi32.dll, xrefs: 005AB8ED

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4b48de97469a789dd14d3c307f6b96af7049718eb11e36e704a8011419369900
Instruction ID: 152683b75e46a0e845ad935dd1eff0fea6c645b45c6d15fc6ea9be2f3fc905dd
Opcode Fuzzy Hash: 4b48de97469a789dd14d3c307f6b96af7049718eb11e36e704a8011419369900
Instruction Fuzzy Hash: 56C15A30208242AFE714DF14C499B2ABFE5BF86318F14855CE59A8B2A3CB75ED45CBD1

Function 005B8D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005B8D5A
GetFocus.USER32 ref: 005B8D6A
GetDlgCtrlID.USER32(00000000), ref: 005B8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005B8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005B8ECF
GetMenuItemCount.USER32(?), ref: 005B8EEC
GetMenuItemID.USER32(?,00000000), ref: 005B8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005B8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005B8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005B8FA1

Strings

0, xrefs: 005B8E9F
(_, xrefs: 005B8E63, 005B8E85

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: (_$0
API String ID: 1026556194-1774493740
Opcode ID: 4dab5ce2546a263c373efdf266044330cd0afbf236e51a982e36116c18df3695
Instruction ID: 67de988367bd783215cf407f934aedd0dc0d768ea00b4e0b50b87a77a862f09b
Opcode Fuzzy Hash: 4dab5ce2546a263c373efdf266044330cd0afbf236e51a982e36116c18df3695
Instruction Fuzzy Hash: 80819F715043019FDB20CF24C889ABBBFEDFB98354F141A19F98597291DB70E905DBA1

Function 005B541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B5515
CharNextW.USER32(00000158), ref: 005B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B55AC

Strings

(_, xrefs: 005B545F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: (_
API String ID: 1350042424-3503187703
Opcode ID: d026e734e79d2480dea343ff5cb6ead8dd59475c81b1994019398277904cc0ab
Instruction ID: 08f9365e9e9b9adef9e79d5c1fb2827834a23ba5ae294c9bd8c6cdfd912ba89a
Opcode Fuzzy Hash: d026e734e79d2480dea343ff5cb6ead8dd59475c81b1994019398277904cc0ab
Instruction Fuzzy Hash: 9B61AA30900609EFDF249F64CC85EFE7FB9FB19321F104545F925AA290E774AA84DB60

Function 005A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005A25E8
CreateCompatibleDC.GDI32(?), ref: 005A25F4
SelectObject.GDI32(00000000,?), ref: 005A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005A26D0
SelectObject.GDI32(?,?), ref: 005A26D8
DeleteObject.GDI32(?), ref: 005A26E1
DeleteDC.GDI32(?), ref: 005A26E8
ReleaseDC.USER32(00000000,?), ref: 005A26F3

Strings

(, xrefs: 005A268D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 649c0066015702b3b02c30d17707cc6060233315d5a3c0a58e6495a7b9545771
Instruction ID: bb22def2e1ad619b65b6c2dd035cd96b8033e36b5e61be91424d3345321d4126
Opcode Fuzzy Hash: 649c0066015702b3b02c30d17707cc6060233315d5a3c0a58e6495a7b9545771
Instruction Fuzzy Hash: 1A61E275D00219EFCF04CFA8D989EAEBBB5FF48310F208529E956A7250D770A941DF64

Function 0055DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0055DAA1

Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D659
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D66B
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D67D
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D68F
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6A1
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6B3
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6C5
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6D7
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6E9
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6FB
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D70D
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D71F
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D731

_free.LIBCMT ref: 0055DA96

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055DAB8
_free.LIBCMT ref: 0055DACD
_free.LIBCMT ref: 0055DAD8
_free.LIBCMT ref: 0055DAFA
_free.LIBCMT ref: 0055DB0D
_free.LIBCMT ref: 0055DB1B
_free.LIBCMT ref: 0055DB26
_free.LIBCMT ref: 0055DB5E
_free.LIBCMT ref: 0055DB65
_free.LIBCMT ref: 0055DB82
_free.LIBCMT ref: 0055DB9A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9826490c8e885e45d8e2d5619d5371f59cefc3dc67fa1c59e65d7ae46b09b7e4
Instruction ID: aa735865c77749154405dc833d8569d035997dc5d3f6ba4bef31da8b3f3276f7
Opcode Fuzzy Hash: 9826490c8e885e45d8e2d5619d5371f59cefc3dc67fa1c59e65d7ae46b09b7e4
Instruction Fuzzy Hash: 4D313D326046069FDB31AA39D859B967FF9FF41322F15441BE849E7291DA31AC88CB30

Function 0058365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0058369C
_wcslen.LIBCMT ref: 005836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00583797
GetClassNameW.USER32(?,?,00000400), ref: 0058380C
GetDlgCtrlID.USER32(?), ref: 0058385D
GetWindowRect.USER32(?,?), ref: 00583882
GetParent.USER32(?), ref: 005838A0
ScreenToClient.USER32(00000000), ref: 005838A7
GetClassNameW.USER32(?,?,00000100), ref: 00583921
GetWindowTextW.USER32(?,?,00000400), ref: 0058395D

Strings

%s%u, xrefs: 00583734

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2186ad177571160033323050751b70cea51fb35639af7d356c67146197d19aff
Instruction ID: 43f15cc7d5334c181772cbd1284b50112fb174f0ff91fc8f3b1d46c931ca93ac
Opcode Fuzzy Hash: 2186ad177571160033323050751b70cea51fb35639af7d356c67146197d19aff
Instruction Fuzzy Hash: C291A471204606AFD719EF24C885FEAFBA8FF44754F004629FD99E2190EB30EA45CB91

Function 00584954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00584994
GetWindowTextW.USER32(?,?,00000400), ref: 005849DA
_wcslen.LIBCMT ref: 005849EB
CharUpperBuffW.USER32(?,00000000), ref: 005849F7
_wcsstr.LIBVCRUNTIME ref: 00584A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00584A64
GetWindowTextW.USER32(?,?,00000400), ref: 00584A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00584AE6
GetClassNameW.USER32(?,?,00000400), ref: 00584B20
GetWindowRect.USER32(?,?), ref: 00584B8B

Strings

ThumbnailClass, xrefs: 00584A6F, 00584AF1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cf115a5a69d98da345b7987f3dd0eaf9a790be1d47197ba4729b4b7c0dc53468
Instruction ID: e59d52d232a05158bdb05fad38c03a55f9f6e9fe429b0e25da94b177e75ce805
Opcode Fuzzy Hash: cf115a5a69d98da345b7987f3dd0eaf9a790be1d47197ba4729b4b7c0dc53468
Instruction Fuzzy Hash: 74919D311042069BDB08EF14C985BBA7FE9FF84314F04856AFD85AA196EB34ED45CFA1

Function 005B3A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005B3C13

Strings

(_, xrefs: 005B3A67, 005B3A76, 005B3AAC, 005B3B01, 005B3C2A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: (_
API String ID: 312131281-3503187703
Opcode ID: 852437b29e6cb2a472cf58df3b4955487f49b33bef615478dbf93d2b845f13f0
Instruction ID: 9d4e271c789105e1f57f41f084b10229e554ff92858b6099000d01e6b46995f7
Opcode Fuzzy Hash: 852437b29e6cb2a472cf58df3b4955487f49b33bef615478dbf93d2b845f13f0
Instruction Fuzzy Hash: AE615775900248AFDB10DFA8CD85EEE7BB8FF49700F100199FA15AB2A1C774AE45DB50

Function 0058DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0058DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0058DC46
_wcslen.LIBCMT ref: 0058DC50
_wcsstr.LIBVCRUNTIME ref: 0058DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0058DCBC

Strings

\VarFileInfo\Translation, xrefs: 0058DCB4
StringFileInfo\, xrefs: 0058DC8F
DefaultLangCodepage, xrefs: 0058DD1F
%u.%u.%u.%u, xrefs: 0058DD9A
04090000, xrefs: 0058DCF2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6e7bcee14568810288afae664dfcf9c2f07f4743e9c10107d85ce2ec5f6f3351
Instruction ID: 1578dc92b4b1f5ac338bc46e398006e2e2ece6f501cdc5ae0a90a3d8b048e67a
Opcode Fuzzy Hash: 6e7bcee14568810288afae664dfcf9c2f07f4743e9c10107d85ce2ec5f6f3351
Instruction Fuzzy Hash: 5F41E0729402067ADB14B765DC4BEFF7FBCFF92754F100069F900A61C2EA64A90197B5

Function 005ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ACD48

Part of subcall function 005ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005ACCAA
Part of subcall function 005ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005ACCBD
Part of subcall function 005ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005ACCCF
Part of subcall function 005ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ACD05
Part of subcall function 005ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 005ACCF3

Strings

RegDeleteKeyExW, xrefs: 005ACCC9
advapi32.dll, xrefs: 005ACCB8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 81ddfe7c22faa7cca13003a9855c2399907b3d781683c37b0991b909d932ab4e
Instruction ID: bc651ce95fdeaabc4285f3f299e9c72b2da2bc8486dfb8ef1fcbebcfd4d93ffa
Opcode Fuzzy Hash: 81ddfe7c22faa7cca13003a9855c2399907b3d781683c37b0991b909d932ab4e
Instruction Fuzzy Hash: 0D319A71901128BBDB209B95DC88EFFBF7CEF16750F000165B916E6200DB709E49EAA4

Function 00593D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00593D40
_wcslen.LIBCMT ref: 00593D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00593D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00593DBE
RemoveDirectoryW.KERNEL32(?), ref: 00593DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00593E55
CloseHandle.KERNEL32(00000000), ref: 00593E60
CloseHandle.KERNEL32(00000000), ref: 00593E6B

Strings

\, xrefs: 00593D77
:, xrefs: 00593D82
\??\%s, xrefs: 00593D5B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b69c82903c55cb4024d288f5c5813443bb63c29b4101c7a03584f5f7b2a80ec4
Instruction ID: 55cfa43b580c4e94ad8333877cdbb483d9f7160d6dd7434d7c43738f8c48db84
Opcode Fuzzy Hash: b69c82903c55cb4024d288f5c5813443bb63c29b4101c7a03584f5f7b2a80ec4
Instruction Fuzzy Hash: 84318EB590420AABDB209BA0DC49FEB7BBCFF88744F1041B5F515D6060EB7097448B24

Function 0058E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0058E6B4

Part of subcall function 0053E551: timeGetTime.WINMM(?,?,0058E6D4), ref: 0053E555

Sleep.KERNEL32(0000000A), ref: 0058E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0058E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0058E727
SetActiveWindow.USER32 ref: 0058E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0058E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0058E773
Sleep.KERNEL32(000000FA), ref: 0058E77E
IsWindow.USER32 ref: 0058E78A
EndDialog.USER32(00000000), ref: 0058E79B

Strings

BUTTON, xrefs: 0058E719

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9bb844ad152479ef39ed0ebedc64f0d845e514edc44ed87dd88612b2c6699b41
Instruction ID: c2efd65a86c5b47c0ef031f89bb9ab84daf906273bce0e505a0c3d234f0d82b8
Opcode Fuzzy Hash: 9bb844ad152479ef39ed0ebedc64f0d845e514edc44ed87dd88612b2c6699b41
Instruction Fuzzy Hash: 6E2130B0200245AFEB106F66EC8AE353F69F775749F101525F916E11A1DB65AC08EB28

Function 0058E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0058EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0058EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0058EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0058EAA7

Strings

close PlayMe, xrefs: 0058EA6E, 0058EA9B
status PlayMe mode, xrefs: 0058EA58
alias PlayMe, xrefs: 0058EA36
play PlayMe wait, xrefs: 0058EA91
open , xrefs: 0058EA0C
play PlayMe, xrefs: 0058EAA2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 950ba71d8ded73b553baa28d354652150be1bdf43339c2330ad00b5cfd6ddf1c
Instruction ID: 124b9afcbe326911e816001e5d59b62787237ec12382ca0595d6c69442e6e6ad
Opcode Fuzzy Hash: 950ba71d8ded73b553baa28d354652150be1bdf43339c2330ad00b5cfd6ddf1c
Instruction Fuzzy Hash: 4E11122165026A79D728E766DC4FDFF6E7CFFE2F80F400429B851A20D1DA705945C6B0

Function 00585CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00585CE2
GetWindowRect.USER32(00000000,?), ref: 00585CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00585D59
GetDlgItem.USER32(?,00000002), ref: 00585D69
GetWindowRect.USER32(00000000,?), ref: 00585D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00585DCF
GetDlgItem.USER32(?,000003E9), ref: 00585DDD
GetWindowRect.USER32(00000000,?), ref: 00585DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00585E31
GetDlgItem.USER32(?,000003EA), ref: 00585E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00585E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00585E67

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7ae34c2e24d5871d266f6fcbfce3ad2e6765881f47ed5ae53c5250d8f6eb0af5
Instruction ID: f14492a1832c27278684f417bd27591b07e040eed6a14176e0108981130595d7
Opcode Fuzzy Hash: 7ae34c2e24d5871d266f6fcbfce3ad2e6765881f47ed5ae53c5250d8f6eb0af5
Instruction Fuzzy Hash: FE51F071B00605AFDF18DF68DD89AAE7FB9FB58301F548229F915E6290D770AE04CB50

Function 00558D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.T, xrefs: 0055903A, 00558FD0, 00558FF2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: .T
API String ID: 0-3315649315
Opcode ID: f565283d504b8f236ecb72fc2f8528d766978208883732dac3c95be69474bdf8
Instruction ID: 249f21ae292bf7ced5e2cd6e6f1f3ab0a040504fe1d2b38457f2f2865cf77918
Opcode Fuzzy Hash: f565283d504b8f236ecb72fc2f8528d766978208883732dac3c95be69474bdf8
Instruction Fuzzy Hash: B7C1F274904249EFCF11DFA8C859BBDBFB0BF59311F08449AE814A72E2C7349949CB60

Function 005B50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005B5186
ShowWindow.USER32(?,00000000), ref: 005B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005B51D1

Part of subcall function 005B6FBA: DeleteObject.GDI32(00000000), ref: 005B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 005B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005B5296

Strings

(_, xrefs: 005B5104

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: (_
API String ID: 3210457359-3503187703
Opcode ID: 571ab649359df7e56f0f3889ae56844e2f215a75edb5e22765d9f3c51a5748a4
Instruction ID: 8aaca50fba14ef5d27fefc7a396dbaa687cb9eeee0820ed3f2705a66bca6bee2
Opcode Fuzzy Hash: 571ab649359df7e56f0f3889ae56844e2f215a75edb5e22765d9f3c51a5748a4
Instruction Fuzzy Hash: 1451D234A42A09FFEF289F28DC4ABD87F65FB45320F144112F6559A2E0E7B5B984DB40

Function 005B8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Part of subcall function 0053912D: GetCursorPos.USER32(?), ref: 00539141
Part of subcall function 0053912D: ScreenToClient.USER32(00000000,?), ref: 0053915E
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000001), ref: 00539183
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000002), ref: 0053919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005B8B6B
ImageList_EndDrag.COMCTL32 ref: 005B8B71
ReleaseCapture.USER32 ref: 005B8B77
SetWindowTextW.USER32(?,00000000), ref: 005B8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005B8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005B8CFF

Strings

@GUI_DRAGFILE, xrefs: 005B8C9A
p#_, xrefs: 005B8C71
@GUI_DROPID, xrefs: 005B8C51
(_, xrefs: 005B8BB4, 005B8BEE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: (_$@GUI_DRAGFILE$@GUI_DROPID$p#_
API String ID: 1924731296-2102334802
Opcode ID: 36e2b93b9cc63d6c8f17129aab2e52ed7d1cc36880b2f6bf26ee326fa51eafe8
Instruction ID: 6924af96848f588ebb123e4051e54eb33ddfca6d24e46ed1296483a1efebdeb2
Opcode Fuzzy Hash: 36e2b93b9cc63d6c8f17129aab2e52ed7d1cc36880b2f6bf26ee326fa51eafe8
Instruction Fuzzy Hash: E6516C71104205AFD704DF14D959FBA7FE4FB98710F000629F996AB2E1CB75AD08CBA6

Function 005896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0056F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00589717
LoadStringW.USER32(00000000,?,0056F7F8,00000001), ref: 00589720

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0056F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00589742
LoadStringW.USER32(00000000,?,0056F7F8,00000001), ref: 00589745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00589866

Strings

Error: , xrefs: 0058981D
^ ERROR, xrefs: 005897FB
Line %d (File "%s"):, xrefs: 0058978F
%s (%d) : ==> %s: %s %s, xrefs: 0058984A
Line %d:, xrefs: 005897A0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: be37ade258cb7e453db17e2b6aa7f89d963defbd17f07b8908cfebd6e4a632e3
Instruction ID: 3fb0e8be180150c4193c193c924db437e467d13d9360e7e2fc3dc44b2d2ea4e9
Opcode Fuzzy Hash: be37ade258cb7e453db17e2b6aa7f89d963defbd17f07b8908cfebd6e4a632e3
Instruction Fuzzy Hash: 3B411E7280021AAACF04FBA0DD9ADFE7B78BFA5340F240465F505721D1EA356F48CB61

Function 005806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00580804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0058082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00580837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0058083C

Strings

\CLSID, xrefs: 00580724
SOFTWARE\Classes\, xrefs: 0058070E
\IPC$, xrefs: 00580784

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 444d2db1e824a7c0210be9d3f0014b2234fcd224910c65366b0757d1aff4895c
Instruction ID: 4469f339ad02d69d2984d81217e7d989688da37e889d66afbdd13aa572b0ec29
Opcode Fuzzy Hash: 444d2db1e824a7c0210be9d3f0014b2234fcd224910c65366b0757d1aff4895c
Instruction Fuzzy Hash: FC41F972C10229ABDF15EBA4DC998EDBB78FF54750F144565E901B31A1EB30AE48CF90

Function 005B3C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005B3C79
SetMenu.USER32(?,00000000), ref: 005B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005B3D10
IsMenu.USER32(?), ref: 005B3D24
CreatePopupMenu.USER32 ref: 005B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005B3D5B
DrawMenuBar.USER32 ref: 005B3D63

Strings

0, xrefs: 005B3C54
(_, xrefs: 005B3CCF, 005B3CEC
F, xrefs: 005B3D4E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: (_$0$F
API String ID: 161812096-3228153470
Opcode ID: 546eeff48f61b5a83ff28414b2da583cff86215d09ef176c68f828ba9cf8a452
Instruction ID: 3130f180a49fd5eb7903b3aec62e9e82c46d45224fa9f0086b75385d3b15d1f7
Opcode Fuzzy Hash: 546eeff48f61b5a83ff28414b2da583cff86215d09ef176c68f828ba9cf8a452
Instruction Fuzzy Hash: 0C418878A01209EFDB24CFA4D884AEA7FB5FF59340F140129F946A73A0D770BA14DB94

Function 005A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A3C5C
CoInitialize.OLE32(00000000), ref: 005A3C8A
CoUninitialize.OLE32 ref: 005A3C94
_wcslen.LIBCMT ref: 005A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 005A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 005A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005A3F0E
CoGetObject.OLE32(?,00000000,005BFB98,?), ref: 005A3F2D
SetErrorMode.KERNEL32(00000000), ref: 005A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005A3FC4
VariantClear.OLEAUT32(?), ref: 005A3FD8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 408884bcc5f48b6540eb1052246086ac25cffd45e342f7230d060b57683dcb8f
Instruction ID: 407ea564578e4e286ef8adf819a03043f44e7a3812877d5f535dc729f550eb92
Opcode Fuzzy Hash: 408884bcc5f48b6540eb1052246086ac25cffd45e342f7230d060b57683dcb8f
Instruction Fuzzy Hash: 97C114716083059FD700DF68C88492BBBE9FF8A748F14495DF98A9B261D731EE05CB52

Function 00597A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00597AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00597B8F
SHGetDesktopFolder.SHELL32(?), ref: 00597BA3
CoCreateInstance.OLE32(005BFD08,00000000,00000001,005E6E6C,?), ref: 00597BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00597C74
CoTaskMemFree.OLE32(?,?), ref: 00597CCC
SHBrowseForFolderW.SHELL32(?), ref: 00597D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00597D7A
CoTaskMemFree.OLE32(00000000), ref: 00597D81
CoTaskMemFree.OLE32(00000000), ref: 00597DD6
CoUninitialize.OLE32 ref: 00597DDC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ce5c491d73690feb46e55364a89593b9568939376eff1d67b0a15ae87afd9df0
Instruction ID: 1960603a7945a699bb60a0e0ef03ffc271639d865cea41539e265a8eefa6c4a3
Opcode Fuzzy Hash: ce5c491d73690feb46e55364a89593b9568939376eff1d67b0a15ae87afd9df0
Instruction Fuzzy Hash: 2AC10975A04219AFDB14DF64C888DAEBFB9FF48304F148599F8199B261D730EE45CB90

Function 0057FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0057FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0057FB08
VariantInit.OLEAUT32(?), ref: 0057FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0057FB3A
VariantCopy.OLEAUT32(?,?), ref: 0057FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0057FBA1
VariantClear.OLEAUT32(?), ref: 0057FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0057FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0057FBCC
VariantClear.OLEAUT32(?), ref: 0057FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0057FBE9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: cdbb3e452b721ba92bc47eaba852f3c7f29ce76153a1d94fc71a6e1050e9feaf
Instruction ID: 2adf097f784b6f62be67dbe893641d5eb8089dcaeadcf10c2d31e7c2978263ad
Opcode Fuzzy Hash: cdbb3e452b721ba92bc47eaba852f3c7f29ce76153a1d94fc71a6e1050e9feaf
Instruction Fuzzy Hash: 33416235A0021ADFCF00DF64D8589AEBFB9FF58345F00C465E959A7261DB30AA45DFA0

Function 00589C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00589CA1
GetAsyncKeyState.USER32(000000A0), ref: 00589D22
GetKeyState.USER32(000000A0), ref: 00589D3D
GetAsyncKeyState.USER32(000000A1), ref: 00589D57
GetKeyState.USER32(000000A1), ref: 00589D6C
GetAsyncKeyState.USER32(00000011), ref: 00589D84
GetKeyState.USER32(00000011), ref: 00589D96
GetAsyncKeyState.USER32(00000012), ref: 00589DAE
GetKeyState.USER32(00000012), ref: 00589DC0
GetAsyncKeyState.USER32(0000005B), ref: 00589DD8
GetKeyState.USER32(0000005B), ref: 00589DEA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9a6320df1008e85e415cc19751da2b37a8b4738bd1c1b2073205ae7e70b24a60
Instruction ID: 315512eccf782b31164e2fd7fba23fea14355b3f4d3acb12a33ac9d7d4988259
Opcode Fuzzy Hash: 9a6320df1008e85e415cc19751da2b37a8b4738bd1c1b2073205ae7e70b24a60
Instruction Fuzzy Hash: 85419534605BC96EFF71A664C8043B5BEA07B21344F0C805ADEC6765C2DBA5ADC8C7A6

Function 005A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005A05BC
inet_addr.WSOCK32(?), ref: 005A061C
gethostbyname.WSOCK32(?), ref: 005A0628
IcmpCreateFile.IPHLPAPI ref: 005A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005A07B9
WSACleanup.WSOCK32 ref: 005A07BF

Strings

Ping, xrefs: 005A0676

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5341423a39373cbfdc201dfa070b888c1a8819cf9104b90ab8684189bcf23f29
Instruction ID: 96b93e27f119230fc4e416573f52a6769733fec5d302e84e0b43a9fa7d214723
Opcode Fuzzy Hash: 5341423a39373cbfdc201dfa070b888c1a8819cf9104b90ab8684189bcf23f29
Instruction Fuzzy Hash: FD917A356142019FD720DF15D489B1ABFE0FF8A318F1489A9E46A9B6A2C730FC45CF91

Function 005A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 005A8CF3

Part of subcall function 00588E54: _wcslen.LIBCMT ref: 00588E77

_wcslen.LIBCMT ref: 005A8D4E
_wcslen.LIBCMT ref: 005A8D9C
_wcslen.LIBCMT ref: 005A8DDC
_wcslen.LIBCMT ref: 005A8E6E

Strings

cdecl, xrefs: 005A8D48, 005A8D4D
none, xrefs: 005A8E65, 005A8E6A
winapi, xrefs: 005A8D96, 005A8D9B
stdcall, xrefs: 005A8DD6, 005A8DDB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 98218c3e5622d37b8e3bd5c2fab55034cd6808248ceac60c618e82c3b224bc71
Instruction ID: c39133632e17d08139e04c869623dafced9af0aaa35ee87e22669c06b553ae0f
Opcode Fuzzy Hash: 98218c3e5622d37b8e3bd5c2fab55034cd6808248ceac60c618e82c3b224bc71
Instruction Fuzzy Hash: E5519171A00116DBCF14DF68C9509BEBBA9BF66724B244629E866E72C4EF31DD40C790

Function 005A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005A3774
CoUninitialize.OLE32 ref: 005A377F
CoCreateInstance.OLE32(?,00000000,00000017,005BFB78,?), ref: 005A37D9
IIDFromString.OLE32(?,?), ref: 005A384C
VariantInit.OLEAUT32(?), ref: 005A38E4
VariantClear.OLEAUT32(?), ref: 005A3936

Strings

Failed to create object, xrefs: 005A37E4, 005A389A
Invalid parameter, xrefs: 005A3865
NULL Pointer assignment, xrefs: 005A381E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bc5e50993921294214b5b37e7e3d30822a2d0523ecd6b4112fb56a12b10f1aa0
Instruction ID: 8f585fce80aafe3888156e854d20ad667704b891bc7eaca5cd430d7cc1d65d42
Opcode Fuzzy Hash: bc5e50993921294214b5b37e7e3d30822a2d0523ecd6b4112fb56a12b10f1aa0
Instruction Fuzzy Hash: 8B616B70608212AFD310DF54D849A6EBFE8FF8A718F100919F9859B291D774EE48CB92

Function 00593388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005933CF

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005933F0

Strings

Error: , xrefs: 005934D1
^ ERROR , xrefs: 0059349E
Line %d (File "%s"):, xrefs: 00593443, 0059345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00593504
"%s" (%d) : ==> %s:, xrefs: 00593522
Incorrect parameters to object property !, xrefs: 005934AB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8338b8261ff52c5a64156ed5820d58148c81084ccdcd98b9870858f82c4f4d7d
Instruction ID: 409208b8dcbc2f2cf4b6c51b97510df7473b65186b2a9a5b3eb6d2da833769d1
Opcode Fuzzy Hash: 8338b8261ff52c5a64156ed5820d58148c81084ccdcd98b9870858f82c4f4d7d
Instruction Fuzzy Hash: 0751AF7280021AAACF14EBA0DD4AEFEBB78BF65340F244465F405720A1EB352F58DB60

Function 0058B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0058B5FC
_wcslen.LIBCMT ref: 0058B608
_wcslen.LIBCMT ref: 0058B64D
_wcslen.LIBCMT ref: 0058B68C
_wcslen.LIBCMT ref: 0058B6C7

Strings

APPEND, xrefs: 0058B6C1, 0058B6C6
EXISTS, xrefs: 0058B686, 0058B68B
REMOVE, xrefs: 0058B602, 0058B607
KEYS, xrefs: 0058B647, 0058B64C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4e15f75f856087dc7ab5a1feebb2ba23a8335c5a1afff842ffbab429b1d7eab6
Instruction ID: 98b26785f71271e3a77770a49781de227bb3b2c90d274d125f32a7545042792d
Opcode Fuzzy Hash: 4e15f75f856087dc7ab5a1feebb2ba23a8335c5a1afff842ffbab429b1d7eab6
Instruction Fuzzy Hash: 7841A732A001279ADB107F7E88915BE7FA9FFA1794B254629E861E7284F731CD81C790

Function 00595393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00595416
GetLastError.KERNEL32 ref: 00595420
SetErrorMode.KERNEL32(00000000,READY), ref: 005954A7

Strings

INVALID, xrefs: 00595459
UNKNOWN, xrefs: 00595444
READONLY, xrefs: 00595452
NOTREADY, xrefs: 0059544B
READY, xrefs: 00595460, 00595468

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66e9d9ad4078ac2b46944d3c8821bc8b32479a79ea36f43f173bca49d3289ea6
Instruction ID: 61026827549e90a17a57a4c2886960cfccfbeb429fee1e399221b5d22f2bebbc
Opcode Fuzzy Hash: 66e9d9ad4078ac2b46944d3c8821bc8b32479a79ea36f43f173bca49d3289ea6
Instruction Fuzzy Hash: 8631CE35A002059FCF52DF68C888AAABFF4FF55345F548065E409DB292E770ED96CB90

Function 00581EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00581F64
GetDlgCtrlID.USER32 ref: 00581F6F
GetParent.USER32 ref: 00581F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00581F8E
GetDlgCtrlID.USER32(?), ref: 00581F97
GetParent.USER32(?), ref: 00581FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00581FAE

Strings

ComboBox, xrefs: 00581EEC
ListBox, xrefs: 00581F21

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f897c321ac0d9f0f7fe9cc54be96b28b95b6cecc1fa488ea5ea5bcd019c68bab
Instruction ID: 2adc876cb84498f0dfef03c3bef7b202012404a3379385bc2ef4ca5f340fc7e4
Opcode Fuzzy Hash: f897c321ac0d9f0f7fe9cc54be96b28b95b6cecc1fa488ea5ea5bcd019c68bab
Instruction Fuzzy Hash: 0A21B074A00214BBDF04AFA4DC89DEEBFB8BF5A310F000215BA616B2D1DB745909DB64

Function 00552C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00552C94

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 00552CA0
_free.LIBCMT ref: 00552CAB
_free.LIBCMT ref: 00552CB6
_free.LIBCMT ref: 00552CC1
_free.LIBCMT ref: 00552CCC
_free.LIBCMT ref: 00552CD7
_free.LIBCMT ref: 00552CE2
_free.LIBCMT ref: 00552CED
_free.LIBCMT ref: 00552CFB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a8bc8844eb46730b95bcfb815eb9204dc16e596dd6ebb4fdea2a943e79137d81
Instruction ID: f397b0da501c30dfdc929e1b26ddb30d5d2b9fb9411635144a3cf8389b06cc71
Opcode Fuzzy Hash: a8bc8844eb46730b95bcfb815eb9204dc16e596dd6ebb4fdea2a943e79137d81
Instruction Fuzzy Hash: 84119276100109AFCB02EF94D896CDD3FB5FF46351F5144A6FA48AB322DA31EA949B90

Function 00597DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00597FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00597FC1
GetFileAttributesW.KERNEL32(?), ref: 00597FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00598005
SetCurrentDirectoryW.KERNEL32(?), ref: 00598017
SetCurrentDirectoryW.KERNEL32(?), ref: 00598060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005980B0

Strings

*.*, xrefs: 00598066

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9da2ad8f00dc55fccee17e5cca802ab463b415e2322009d8365afb3d81a73141
Instruction ID: 8a9eb0bd54ed1ee0a52c07a6d0c5048ca94554a52394e5db96d26440c18f8869
Opcode Fuzzy Hash: 9da2ad8f00dc55fccee17e5cca802ab463b415e2322009d8365afb3d81a73141
Instruction Fuzzy Hash: 7F81A0725182099BCF20EF24C8499AEBBE8BF89314F544C5FF885D7250EB34ED498B52

Function 005B7E9E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00EC5F28), ref: 005B7F37
IsWindowEnabled.USER32(00EC5F28), ref: 005B7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 005B801E
SendMessageW.USER32(00EC5F28,000000B0,?,?), ref: 005B8051
IsDlgButtonChecked.USER32(?,?), ref: 005B8089
GetWindowLongW.USER32(00EC5F28,000000EC), ref: 005B80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005B80C3

Strings

(_, xrefs: 005B7ED2, 005B7F51, 005B7FFF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (_
API String ID: 4072528602-3503187703
Opcode ID: 9b46b998f29d6e4fa3244936a11c13970907fe89075bf580da993e77b411af8a
Instruction ID: f5c57812c108482efbce266f27fec2e169760ac0902e9f62268ef5c213f2ec6d
Opcode Fuzzy Hash: 9b46b998f29d6e4fa3244936a11c13970907fe89075bf580da993e77b411af8a
Instruction Fuzzy Hash: 4471BF34609648AFEB209F64C888FFABFB9FF9D340F140459E955972A1CB31B845DB24

Function 00525BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00525C7A

Part of subcall function 00525D0A: GetClientRect.USER32(?,?), ref: 00525D30
Part of subcall function 00525D0A: GetWindowRect.USER32(?,?), ref: 00525D71
Part of subcall function 00525D0A: ScreenToClient.USER32(?,?), ref: 00525D99

GetDC.USER32 ref: 005646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00564708
SelectObject.GDI32(00000000,00000000), ref: 00564716
SelectObject.GDI32(00000000,00000000), ref: 0056472B
ReleaseDC.USER32(?,00000000), ref: 00564733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005647C4

Strings

U, xrefs: 00564693

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fa6585eaf06f5239471a11fdcc6a5130b44817822027ef4e00db009e9a55df1c
Instruction ID: ddcd6a83a8f6fbdd9ba08306a56d12a2298e107851747f2356c8d157a727765d
Opcode Fuzzy Hash: fa6585eaf06f5239471a11fdcc6a5130b44817822027ef4e00db009e9a55df1c
Instruction Fuzzy Hash: EC71DF31400205DFCF258F64C984ABA7FB5FF9A360F144269ED556B2A6D7319C82EF60

Function 0059359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005935E4

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

LoadStringW.USER32(005F2390,?,00000FFF,?), ref: 0059360A

Strings

Error: , xrefs: 005936EF
^ ERROR, xrefs: 005936C9
Line %d (File "%s"):, xrefs: 0059366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00593724
"%s" (%d) : ==> %s:, xrefs: 00593742

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 3a9ba207c0380628c79017aa5c90d9e19ba1e1007fa55cc32f2973bc78752f81
Instruction ID: de15ad1b4953d8c88fac88465ee64f5c2c56da243cefe1d1ca3468363990ae4d
Opcode Fuzzy Hash: 3a9ba207c0380628c79017aa5c90d9e19ba1e1007fa55cc32f2973bc78752f81
Instruction Fuzzy Hash: F5514C7280021AEACF15EBA0DC46EEDBF74FF65340F144525F505721A1DB352B98DB61

Function 005B2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005B2E1C
GetWindowLongW.USER32(?,000000F0), ref: 005B2E4F
GetWindowLongW.USER32(?,000000F0), ref: 005B2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005B2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005B2EE0
GetWindowLongW.USER32(?,000000F0), ref: 005B2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B2F0B

Strings

(_, xrefs: 005B2E00, 005B2E34, 005B2E69, 005B2EA1, 005B2EC5, 005B2EFD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (_
API String ID: 2178440468-3503187703
Opcode ID: b3f0a76967e67187c7add5244384f63f8f278208179733cb471e94554ed20932
Instruction ID: 2c190bfd7f7668d31667b3ca0d2727e9ae545ea5e74d12183ef5fd154c7deb73
Opcode Fuzzy Hash: b3f0a76967e67187c7add5244384f63f8f278208179733cb471e94554ed20932
Instruction Fuzzy Hash: D631F230644250AFDB218F59DD84FA53BA9FBAA710F150164F904CF2B1CBB1F844EB65

Function 0059C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0059C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0059C2CA
GetLastError.KERNEL32 ref: 0059C322
SetEvent.KERNEL32(?), ref: 0059C336
InternetCloseHandle.WININET(00000000), ref: 0059C341

Strings

, xrefs: 0059C2BB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 48309e4fd4adcb525a8f7135c12cc173b839d142028c201146a9f856a8a4774e
Instruction ID: 7bfbc7774d81b32ea6038c62f309ebdb25cd4ee3b6befa1d8fbb488b9d3bb3c0
Opcode Fuzzy Hash: 48309e4fd4adcb525a8f7135c12cc173b839d142028c201146a9f856a8a4774e
Instruction Fuzzy Hash: BD317CB1600208AFDF219F648D88AAB7FFCFB59744B10891EF48692201DB34ED089B65

Function 0058989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00563AAF,?,?,Bad directive syntax error,005BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005898BC
LoadStringW.USER32(00000000,?,00563AAF,?), ref: 005898C3

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00589987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 005898F1
Line %d (File "%s"):, xrefs: 0058992D
., xrefs: 0058996D
Error: , xrefs: 00589955
Line %d:, xrefs: 00589912

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3769a93ef3ed32cbcd7017e68d1418cb31b50f09d9e82216a848956797d3c417
Instruction ID: a34f8789996aa47cce1d08d2243159be5dfc72785e6af7e9ada8595dca09bb98
Opcode Fuzzy Hash: 3769a93ef3ed32cbcd7017e68d1418cb31b50f09d9e82216a848956797d3c417
Instruction Fuzzy Hash: 96217132C0021AABCF15EF90DC5AEED7F35BF69340F084825F515720A1EB75AA18DB10

Function 0058209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0058214D

Strings

list, xrefs: 0058212F
smallicons, xrefs: 00582115
details, xrefs: 005820FB
SHELLDLL_DefView, xrefs: 005820CC
largeicons, xrefs: 005820E1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: eb2e5ad760fa56571dcbaa1e3eb9365410c22c326e9d0dc81209ed3eba734502
Instruction ID: a7eaed66f81bde03b34706bd8cc6a9b6e317117f73247d2a8cc580bfbda92587
Opcode Fuzzy Hash: eb2e5ad760fa56571dcbaa1e3eb9365410c22c326e9d0dc81209ed3eba734502
Instruction Fuzzy Hash: 1111C17A688707BAF60976259C0EDE63F9DFB14328F30011AFB45B90D1FAA168459B18

Function 0055CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0055CEB7
_free.LIBCMT ref: 0055CF22
_free.LIBCMT ref: 0055CF48
_free.LIBCMT ref: 0055CF71
_free.LIBCMT ref: 0055CFA9
_free.LIBCMT ref: 0055CFDA
_free.LIBCMT ref: 0055D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0055D09C
_free.LIBCMT ref: 0055D0B5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: db36b7524ee3eacf55b7c2d47adfc655f48dbd0d0255debd07251461af77cfaa
Instruction ID: c7afdc306c6def7fad0fa481ec6dfdb526813f4745f96871c5975435cbb959e4
Opcode Fuzzy Hash: db36b7524ee3eacf55b7c2d47adfc655f48dbd0d0255debd07251461af77cfaa
Instruction Fuzzy Hash: 31614572904301AFDB21AFB498A9A7A7FA5BF41312F04016FEC05E7282E6359D4CCB60

Function 00538B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00576890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00538874,00000000,00000000,00000000,000000FF,00000000), ref: 00576901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0057691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00538874,00000000,00000000,00000000,000000FF,00000000), ref: 0057692D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 80cfc127409f4ba3c773efef7f4a5db6b9a1e824c1177da4f6d40dbb5aca2d19
Instruction ID: 0c45a5bfc5d62b294d44b60e0745d52f1f32d4da13cfc547a0c54f49052c7365
Opcode Fuzzy Hash: 80cfc127409f4ba3c773efef7f4a5db6b9a1e824c1177da4f6d40dbb5aca2d19
Instruction Fuzzy Hash: 5B51787060070AEFDB248F24DC65BAABFB5FB58750F104618F956A62A0DBB0A950EB50

Function 0059C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0059C182
GetLastError.KERNEL32 ref: 0059C195
SetEvent.KERNEL32(?), ref: 0059C1A9

Part of subcall function 0059C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059C272
Part of subcall function 0059C253: GetLastError.KERNEL32 ref: 0059C322
Part of subcall function 0059C253: SetEvent.KERNEL32(?), ref: 0059C336
Part of subcall function 0059C253: InternetCloseHandle.WININET(00000000), ref: 0059C341

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a33cdd61694bcf6954ebb95bb94f2a945089955182c7d585c9eb95b1643d9a44
Instruction ID: 971893f92ba9f7e8228ac4226c2c4c0083a85b7c4fee432617e0480dab9292ba
Opcode Fuzzy Hash: a33cdd61694bcf6954ebb95bb94f2a945089955182c7d585c9eb95b1643d9a44
Instruction Fuzzy Hash: EA319C75200701AFDF219FA5DC48A66BFF9FF68300B10492DF99686611DB30E818EFA0

Function 005825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00582601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00582605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0058260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00582623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00582627

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 29096913d191542b093877ae4147552007fd5598b712f809f2fc586cc7db7666
Instruction ID: dfbafd1219a775115320df16a1c0f776b245d73d63f9ed270a8b204784958e0a
Opcode Fuzzy Hash: 29096913d191542b093877ae4147552007fd5598b712f809f2fc586cc7db7666
Instruction Fuzzy Hash: 9901B170290210BBFB107B699C8EF593F59EB9EB12F100102F758BE0D1C9E22448DA6D

Function 00581803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00581449,?,?,00000000), ref: 0058180C
HeapAlloc.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 00581813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00581449,?,?,00000000), ref: 00581828
GetCurrentProcess.KERNEL32(?,00000000,?,00581449,?,?,00000000), ref: 00581830
DuplicateHandle.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 00581833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00581449,?,?,00000000), ref: 00581843
GetCurrentProcess.KERNEL32(00581449,00000000,?,00581449,?,?,00000000), ref: 0058184B
DuplicateHandle.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 0058184E
CreateThread.KERNEL32(00000000,00000000,00581874,00000000,00000000,00000000), ref: 00581868

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 50faf27764b14f460be20bb997560feb5ccd257e1d999666c3328ca2afff0d69
Instruction ID: 4d9c90a202b8b3bb900db25932a39f0e6b73f3c621b8be9b8f2bb617f0ac9bf8
Opcode Fuzzy Hash: 50faf27764b14f460be20bb997560feb5ccd257e1d999666c3328ca2afff0d69
Instruction Fuzzy Hash: 3001BFB5240304BFE750AFA5DC4DF573FACEB99B11F404511FA05EB191C670A804DB24

Function 00553E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00553F0B
__alldvrm.LIBCMT ref: 0055410C
__alldvrm.LIBCMT ref: 0055412E

Strings

}}T, xrefs: 00553E96, 00553EF1, 00553F0A, 00554090
}}T, xrefs: 005540CD
}}T, xrefs: 00553E8A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}T$}}T$}}T
API String ID: 1036877536-2105166629
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b4a51c81fba0f9454970d459646820ecb043a713170f761f251a1126d31ba044
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A9A14772D006869FDB11CE18C8A57BEBFE4FF61395F28416EE9459B281C2388989CB50

Function 005AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0058D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0058D501
Part of subcall function 0058D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0058D50F
Part of subcall function 0058D4DC: CloseHandle.KERNEL32(00000000), ref: 0058D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005AA16D
GetLastError.KERNEL32 ref: 005AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 005AA268
GetLastError.KERNEL32(00000000), ref: 005AA273
CloseHandle.KERNEL32(00000000), ref: 005AA2C4

Strings

SeDebugPrivilege, xrefs: 005AA18F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ba814a2e9ae1c63aab1f30d287a56492af502f11c2ab160e66f293837cc10045
Instruction ID: f5f30af732350f4f5e8a98e35426ff0a5bb39745ddf5eb0901a63ceae338a812
Opcode Fuzzy Hash: ba814a2e9ae1c63aab1f30d287a56492af502f11c2ab160e66f293837cc10045
Instruction Fuzzy Hash: 57615B34204242AFD720DF18D498F1ABFA1BF95318F54849CE4564BBA3C772EC49CB92

Function 005B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005B3954
_wcslen.LIBCMT ref: 005B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005B39F4

Strings

SysListView32, xrefs: 005B38F7

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 26ffa094191cad5a381e4033bc488347b49daacd358adadcbd1df82cfc7f0e6a
Instruction ID: 95dfaa16e3b6a8036130ab477d623906b640c396245926a746eb56866390b98a
Opcode Fuzzy Hash: 26ffa094191cad5a381e4033bc488347b49daacd358adadcbd1df82cfc7f0e6a
Instruction Fuzzy Hash: 3441C231A00219ABEB219F64CC49FEA7FA9FF58350F100526F958F7281D7B1A984CB94

Function 0058BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0058BCFD
IsMenu.USER32(00000000), ref: 0058BD1D
CreatePopupMenu.USER32 ref: 0058BD53
GetMenuItemCount.USER32(00EC5E88), ref: 0058BDA4
InsertMenuItemW.USER32(00EC5E88,?,00000001,00000030), ref: 0058BDCC

Strings

2, xrefs: 0058BD37
0, xrefs: 0058BCA8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 42ef10c6087269feadd3ddd5c25454afb07fac63c029c77d7e610a76d339f400
Instruction ID: 61ae4f764b327883677459871c58ba9db2008e85d14582b2775c5020de477d83
Opcode Fuzzy Hash: 42ef10c6087269feadd3ddd5c25454afb07fac63c029c77d7e610a76d339f400
Instruction Fuzzy Hash: AB519370A01205ABEF10EF68D888BADBFF8BF55314F144619EC51B7291D7709945CB61

Function 00542D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00542D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00542D53
_ValidateLocalCookies.LIBCMT ref: 00542DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00542E0C
_ValidateLocalCookies.LIBCMT ref: 00542E61

Strings

&HT, xrefs: 00542DFE, 00542E07, 00542E18
csm, xrefs: 00542DF6

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HT$csm
API String ID: 1170836740-2742057123
Opcode ID: bcef93e26af8d85bde232a66d32648663b459eca41ea480fdffab8a5445cccd8
Instruction ID: 62b47809bbaaf8d3647640c1b3234d30d0abcd38e34f3d03756b580f5b7f6e28
Opcode Fuzzy Hash: bcef93e26af8d85bde232a66d32648663b459eca41ea480fdffab8a5445cccd8
Instruction Fuzzy Hash: 43419434E01219EBCF14DF68C849ADEBFB5BF44328F548155F815AB392D7319A16CB90

Function 005B81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0057F3AB,00000000,?,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 005B824C
EnableWindow.USER32(?,00000000), ref: 005B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005B82D1
ShowWindow.USER32(?,00000004), ref: 005B82E5
EnableWindow.USER32(?,00000001), ref: 005B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005B832F

Strings

(_, xrefs: 005B8206, 005B8252, 005B8299, 005B82D7, 005B82EB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: (_
API String ID: 642888154-3503187703
Opcode ID: 2bcca94f0e7ab720a48aec0c5fe82532fc7dda9cc01a632bde06cd51760e5955
Instruction ID: 4a4dc0db33f297d003a1c40cda4ff265672bcf6635711f296766341dc453feec
Opcode Fuzzy Hash: 2bcca94f0e7ab720a48aec0c5fe82532fc7dda9cc01a632bde06cd51760e5955
Instruction Fuzzy Hash: 7A41A138601A40EFDB11CF14CD99BF4BFE4BB1AB14F1822A8E5088F262CB71B845DB54

Function 0058C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0058C913

Strings

stop, xrefs: 0058C8E4
info, xrefs: 0058C8B4
warning, xrefs: 0058C8FC
question, xrefs: 0058C8CC
blank, xrefs: 0058C895

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 06d0643cf1c206327f258302a4e26077ec00529117972e0e7e3c59d612b933dd
Instruction ID: a5f2b2dac1e4f94d8056c930c66748f0a85e75c91c5e1b49c32e27e49ceaefa2
Opcode Fuzzy Hash: 06d0643cf1c206327f258302a4e26077ec00529117972e0e7e3c59d612b933dd
Instruction Fuzzy Hash: D2112E316C9707BBA70477159C82DDA2F9CFF25794B10006BF900B5282E7747D405775

Function 0058DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0058DE42
gethostname.WSOCK32(?,00000100), ref: 0058DE5C
gethostbyname.WSOCK32(?), ref: 0058DE69
inet_ntoa.WSOCK32(?), ref: 0058DEAB
_strcat.LIBCMT ref: 0058DEB9
WSACleanup.WSOCK32 ref: 0058DEDE

Strings

0.0.0.0, xrefs: 0058DE87

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 730822b886f27cf2353b400cfb02f21badd59a8a8738521e0a63bd5e4aa19a0a
Instruction ID: 39b20511c64142469c7b7a17f58fd603496ea1e924d614163dd348875ea07ded
Opcode Fuzzy Hash: 730822b886f27cf2353b400cfb02f21badd59a8a8738521e0a63bd5e4aa19a0a
Instruction Fuzzy Hash: 19110671904105ABCB64BB24DC4AEEE7FBCFF60715F0001A9F945AA0D1EF709A819B70

Function 0058ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0058ED2A
_wcslen.LIBCMT ref: 0058ED3B
_wcslen.LIBCMT ref: 0058ED79
_wcslen.LIBCMT ref: 0058EDAF
_wcslen.LIBCMT ref: 0058EDDF
_wcslen.LIBCMT ref: 0058EDEF
_wcslen.LIBCMT ref: 0058EE2B
_wcslen.LIBCMT ref: 0058EE5A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d75113f6b34f60c4c5ad7808cc275076c4ba714a1b0cdd3a96eaa3885d77b6ad
Instruction ID: 9f1510a82ed0683864286780e9b0ff3159962111d8703ea9a1891cadedef9eb2
Opcode Fuzzy Hash: d75113f6b34f60c4c5ad7808cc275076c4ba714a1b0cdd3a96eaa3885d77b6ad
Instruction Fuzzy Hash: 52417F79C1021975CB11FBB4888BACFBBB8BF85710F508566E914F3122EB34E255C7A6

Function 0053F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0053F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0057F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0057F454

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 49a97ac856548f50c46fdecbd6f13e9c549d8263f5be31c377053ebc92db2c33
Instruction ID: b574392ec28c1ab0c97f725b84b4aac8e615b789969f8e050562226b02b93765
Opcode Fuzzy Hash: 49a97ac856548f50c46fdecbd6f13e9c549d8263f5be31c377053ebc92db2c33
Instruction Fuzzy Hash: 89411D32A08640BFC739CB2DD98877A7F92BF96324F14893CE04B56660D676A884E711

Function 005B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005B2D1B
GetDC.USER32(00000000), ref: 005B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005B2DE1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e019e27999ec10ad7f5ca338d94ef86320e408587ef76934dabf91342c98c7ca
Instruction ID: b0f64bcc2daa47dfffa887bb8a4a500a46e4ed7e5b9f80e34b4891ec46c84629
Opcode Fuzzy Hash: e019e27999ec10ad7f5ca338d94ef86320e408587ef76934dabf91342c98c7ca
Instruction Fuzzy Hash: 13317872201214BFEB218F548C8AFEB3FA9FB59711F044155FE089A291C6B5A851CBB4

Function 00585622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00585637
_memcmp.LIBVCRUNTIME ref: 00585659
_memcmp.LIBVCRUNTIME ref: 00585671
_memcmp.LIBVCRUNTIME ref: 00585684
_memcmp.LIBVCRUNTIME ref: 0058569E
_memcmp.LIBVCRUNTIME ref: 005856B1
_memcmp.LIBVCRUNTIME ref: 005856C9
_memcmp.LIBVCRUNTIME ref: 005856E4

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d1cd6a74d5cce4b4a880aca098ebb9651dd3dd329d9d2377f101a4bc5c6bcd3a
Instruction ID: 353c62cf5f81015f0a4621693d798531d5f9f297834fb4db0b28c4e73d007f24
Opcode Fuzzy Hash: d1cd6a74d5cce4b4a880aca098ebb9651dd3dd329d9d2377f101a4bc5c6bcd3a
Instruction Fuzzy Hash: 4821D471644E0A7BD6157A228E86FFA3F5CBF60388F444420FD06AA681F720FD5083A9

Function 005A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 005A5007
NULL Pointer assignment, xrefs: 005A502E, 005A5383

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f6046f037a68164f30d3c59af3d1259926b1370765ce4df69fcd2ce3a9ec6e7d
Instruction ID: 6b61f601e9cd95373e9bbcb76be92577a21217a69844ab6a556b8e91d417532c
Opcode Fuzzy Hash: f6046f037a68164f30d3c59af3d1259926b1370765ce4df69fcd2ce3a9ec6e7d
Instruction Fuzzy Hash: 87D1C475A0060AAFDF10CFA8C885FAEBBB5FF89344F148469E915AB281E770DD45CB50

Function 00561522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005615CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00561651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005617FB,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005616E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005616FB

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00561777
__freea.LIBCMT ref: 005617A2
__freea.LIBCMT ref: 005617AE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d6fc38ac81c65d14c4eba41d259f15fcce4ac9bfdaee98f69547e995018f35b7
Instruction ID: f881b5c19ef3c64ece64d7ef93bbee3dbd9da6522acc7f626461f551148c2384
Opcode Fuzzy Hash: d6fc38ac81c65d14c4eba41d259f15fcce4ac9bfdaee98f69547e995018f35b7
Instruction Fuzzy Hash: E691E371E00A169ADB208E74C895AFEBFB5FF99310F1C4619E802E7191DB35DD44CBA8

Function 005A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A4648
VariantInit.OLEAUT32(?), ref: 005A4749
VariantClear.OLEAUT32(?), ref: 005A4753
VariantClear.OLEAUT32(?), ref: 005A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 005A472C
Null Object assignment in FOR..IN loop, xrefs: 005A45D8, 005A4706, 005A47BE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e33e000e4aa2c0e7ddc4fafa7be2ef36bdafa6234884ab80ef8d017dcd2354c8
Instruction ID: 1d292e4943562156aec5812e0fa994e789638b604ca94112e1ea38c8a5683407
Opcode Fuzzy Hash: e33e000e4aa2c0e7ddc4fafa7be2ef36bdafa6234884ab80ef8d017dcd2354c8
Instruction Fuzzy Hash: F2919171A00219ABDF24CFA5D848FAEBFB8FF86714F108559F505AB281D7B09945CFA0

Function 00591187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0059125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00591284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0059135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00591430

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7e5281100cb6b0a15ad163867370e9537c37a37e8f6e2c575bbcc77c58d27aaf
Instruction ID: 22a21a8aecc9697a5e98c46df9c9e2879d406ab53706950cef8bb05448b24823
Opcode Fuzzy Hash: 7e5281100cb6b0a15ad163867370e9537c37a37e8f6e2c575bbcc77c58d27aaf
Instruction Fuzzy Hash: CC91F475A0062AAFDF00DF94C889BBEBFB5FF85315F104429E904EB291D774A941CB98

Function 0053948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b1361ef08584bfe508e15c1367ddc686bbb6b1ad2c3f01f46cee490ec6d95467
Instruction ID: 344c3880771174298b0ee11630ad98bff7042d23d5bed20b6d0739787abc735c
Opcode Fuzzy Hash: b1361ef08584bfe508e15c1367ddc686bbb6b1ad2c3f01f46cee490ec6d95467
Instruction Fuzzy Hash: 9A9116B1D0021AEFCB10CFA9C888AEEBFB8FF49320F148555E515B7251D374A981DB60

Function 005A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A396B
CharUpperBuffW.USER32(?,?), ref: 005A3A7A
_wcslen.LIBCMT ref: 005A3A8A
VariantClear.OLEAUT32(?), ref: 005A3C1F

Part of subcall function 00590CDF: VariantInit.OLEAUT32(00000000), ref: 00590D1F
Part of subcall function 00590CDF: VariantCopy.OLEAUT32(?,?), ref: 00590D28
Part of subcall function 00590CDF: VariantClear.OLEAUT32(?), ref: 00590D34

Strings

AUTOIT.ERROR, xrefs: 005A3A80, 005A3A85
Incorrect Parameter format, xrefs: 005A39A6, 005A3BA1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 31fde7524565549cae5d61b4727ad42c4f4020bf12c11c9d61bf7fef3e057186
Instruction ID: be3020a7c06f599ac59fb2decd4f4b94c508c44780cdb9ccdb85343d668f48f6
Opcode Fuzzy Hash: 31fde7524565549cae5d61b4727ad42c4f4020bf12c11c9d61bf7fef3e057186
Instruction Fuzzy Hash: C29136756083469FC704DF24C48596EBBE5BF8A318F14896DF88A9B351DB30EE05CB92

Function 005A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0058000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?,?,0058035E), ref: 0058002B
Part of subcall function 0058000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580046
Part of subcall function 0058000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580054
Part of subcall function 0058000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?), ref: 00580064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005A4C51
_wcslen.LIBCMT ref: 005A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005A4DCF
CoTaskMemFree.OLE32(?), ref: 005A4DDA

Strings

NULL Pointer assignment, xrefs: 005A4E23, 005A4E52

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f7a2249d91edfd11de6f30fd0e7ac0b8e53472d8c2384f6edc1b94ae4d75cf8a
Instruction ID: 88dbdb0bba9bf7fe4d3ca3477c30f560e9e241c1514f140c9703dc52b30a704c
Opcode Fuzzy Hash: f7a2249d91edfd11de6f30fd0e7ac0b8e53472d8c2384f6edc1b94ae4d75cf8a
Instruction Fuzzy Hash: 28913771D0022DAFDF14DFE4D895AEEBBB8BF89310F104569E915A7281EB709A44CF60

Function 0052BBE0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052BEB3

Strings

x, xrefs: 0052BC1B, 0052BCC7
D%_D%_, xrefs: 0052BCA5
D%_, xrefs: 0052BCA2
D%_, xrefs: 0052BDED, 0052BD91, 0052BD1B
D%_, xrefs: 0052BE9A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%_$D%_$D%_$D%_D%_$x
API String ID: 1385522511-1148892672
Opcode ID: cbe3044b25a5e55861533c7cab0615a79187a870a3b45395914df5fd8c3ec8ff
Instruction ID: 905fcc1a118865fcf124a6b64c1fc747a79ff886e8d1db83b1746bb9fb780cd5
Opcode Fuzzy Hash: cbe3044b25a5e55861533c7cab0615a79187a870a3b45395914df5fd8c3ec8ff
Instruction Fuzzy Hash: 00916BB5A0022ACFDB18CF58D0906B9BBF1FF5A310F248569D945AB391D731ED81DB90

Function 005B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005B2183
GetMenuItemCount.USER32(00000000), ref: 005B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005B21DD
_wcslen.LIBCMT ref: 005B2213
GetMenuItemID.USER32(?,?), ref: 005B224D
GetSubMenu.USER32(?,?), ref: 005B225B

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005B22E3

Part of subcall function 0058E97B: Sleep.KERNELBASE ref: 0058E9F3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a50ae2b1941e21570fc7f3772daed55fe0a312b182395165f63040f8142afaa7
Instruction ID: de558c69b5863119943a65cd6472418e0f8fb83b13f4c83958067931c92eaef2
Opcode Fuzzy Hash: a50ae2b1941e21570fc7f3772daed55fe0a312b182395165f63040f8142afaa7
Instruction Fuzzy Hash: BC714D75A00215AFCB14DF68C845AEEBFF5FF89310F148859E916EB351D734B9418BA0

Function 0058AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0058AEF9
GetKeyboardState.USER32(?), ref: 0058AF0E
SetKeyboardState.USER32(?), ref: 0058AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0058AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0058AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0058AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0058B020

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 202acfd4800427c3d12b2b9e0438a6f9c18f8b5a1aa08e43f127b31d5f9d4fab
Instruction ID: 48b274b9a6f05fff526cdf9c64552325ad1a6a2c1de9f71908afb883b594c7cf
Opcode Fuzzy Hash: 202acfd4800427c3d12b2b9e0438a6f9c18f8b5a1aa08e43f127b31d5f9d4fab
Instruction Fuzzy Hash: 4C5106A06043D13DFB3662348C49BBABFE97B06304F08858AEAD5654C3D3D8ACC8D751

Function 0058ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0058AD19
GetKeyboardState.USER32(?), ref: 0058AD2E
SetKeyboardState.USER32(?), ref: 0058AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0058ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0058ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0058AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0058AE38

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de79d2b1f96b618a64a44c4d52af285d3c3e678b9da6c475a6123d1839ee0b45
Instruction ID: c71a333ed8ca3870be8d278f630f571ce0ce25b0d5c6e9b2f979b97e651facbe
Opcode Fuzzy Hash: de79d2b1f96b618a64a44c4d52af285d3c3e678b9da6c475a6123d1839ee0b45
Instruction Fuzzy Hash: E15118A15047D53DFB33A3348C45B7ABE9C7B45301F08898AE9D5A68C2D394EC88D752

Function 0055542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00563CD6,?,?,?,?,?,?,?,?,00555BA3,?,?,00563CD6,?,?), ref: 00555470
__fassign.LIBCMT ref: 005554EB
__fassign.LIBCMT ref: 00555506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00563CD6,00000005,00000000,00000000), ref: 0055552C
WriteFile.KERNEL32(?,00563CD6,00000000,00555BA3,00000000,?,?,?,?,?,?,?,?,?,00555BA3,?), ref: 0055554B
WriteFile.KERNEL32(?,?,00000001,00555BA3,00000000,?,?,?,?,?,?,?,?,?,00555BA3,?), ref: 00555584

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 15d18f0e252f8c2f06b2477bd986378414cfb380bc654f7abe4a10d6c4815b5a
Instruction ID: 3a52cbf05fc0df4c7054e81c179037051cacf3e7b2c2eff28cfd89f48adb6b68
Opcode Fuzzy Hash: 15d18f0e252f8c2f06b2477bd986378414cfb380bc654f7abe4a10d6c4815b5a
Instruction Fuzzy Hash: 3A51C2709006499FDB10CFA8D865AEEBFF9FF09301F14451BF955E7292E630AA49CB60

Function 005B6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0059AB79,00000000,00000000), ref: 005B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005B6CC7

Strings

(_, xrefs: 005B6BB0, 005B6C55

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: (_
API String ID: 3688381893-3503187703
Opcode ID: 7d2790eebb934caeb00984c96562b0b6d6d91ac9d9341343c1be6b9ac15b1f79
Instruction ID: fc70ba754df253b1cdf725e5b8b0e80050413dbd33124c1c93fa552def57e54a
Opcode Fuzzy Hash: 7d2790eebb934caeb00984c96562b0b6d6d91ac9d9341343c1be6b9ac15b1f79
Instruction Fuzzy Hash: BB41AD35A04104AFDB24CF28CD58FE97FA5FB09360F140668E999AB2E0C379FD41DA90

Function 005A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A304E: inet_addr.WSOCK32(?), ref: 005A307A
Part of subcall function 005A304E: _wcslen.LIBCMT ref: 005A309B

socket.WSOCK32(00000002,00000001,00000006), ref: 005A1112
WSAGetLastError.WSOCK32 ref: 005A1121
WSAGetLastError.WSOCK32 ref: 005A11C9
closesocket.WSOCK32(00000000), ref: 005A11F9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6747597b76bb266c38213ac35289e2fb7d4c3954039cbed296e4348f1958b23a
Instruction ID: dc46b1156e4587e573ee0c8642a4a219a66d4bf29a462903b849c18a1350b465
Opcode Fuzzy Hash: 6747597b76bb266c38213ac35289e2fb7d4c3954039cbed296e4348f1958b23a
Instruction Fuzzy Hash: 02411431600615AFDB109F14C888BADBFE9FF86324F148159F9069B292D770ED45CBE4

Function 0058CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0058CF22,?), ref: 0058DDFD

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0058CF22,?), ref: 0058DE16

lstrcmpiW.KERNEL32(?,?), ref: 0058CF45
MoveFileW.KERNEL32(?,?), ref: 0058CF7F
_wcslen.LIBCMT ref: 0058D005
_wcslen.LIBCMT ref: 0058D01B
SHFileOperationW.SHELL32(?), ref: 0058D061

Strings

\*.*, xrefs: 0058CFF3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: aedf6976aba37d44648267995292cfd3c4367fb61c19b9e78a48142dc8872bfe
Instruction ID: e8f84fc9935612b2ca3926b427b3e49cf600aea81ef0098124c1a4aaf624aa80
Opcode Fuzzy Hash: aedf6976aba37d44648267995292cfd3c4367fb61c19b9e78a48142dc8872bfe
Instruction Fuzzy Hash: C04144719452195EDF12FBA4D985ADEBFB8BF54380F0000A6A645FB141EA34A648CF60

Function 005B3D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005B3E35
IsMenu.USER32(?), ref: 005B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005B3E92
DrawMenuBar.USER32 ref: 005B3EA5

Strings

0, xrefs: 005B3D89
(_, xrefs: 005B3DF7, 005B3E12

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: (_$0
API String ID: 3076010158-1774493740
Opcode ID: b57de73bea76e2e56a926ae3aba1b24bc9c61a2899cccf51797d91ecab76d3e6
Instruction ID: deccbd5fe4397e9b144a4eefe0f9f11fb55b8649aa0199d6ba2580f063812e7f
Opcode Fuzzy Hash: b57de73bea76e2e56a926ae3aba1b24bc9c61a2899cccf51797d91ecab76d3e6
Instruction Fuzzy Hash: 0C411575A01209EFDB20DF50D884AEABBB9FF49354F04412AE905AB290D734FE44DBA0

Function 00587726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0058778F
SysAllocString.OLEAUT32(00000000), ref: 00587792
SysAllocString.OLEAUT32(?), ref: 005877B0
SysFreeString.OLEAUT32(?), ref: 005877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005877DE
SysAllocString.OLEAUT32(?), ref: 005877EC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0efdf2207836b885cf3e555012c48fde0d92f05c04f7c3da6e7d9b519d67834d
Instruction ID: 6c87a612b4e385c2462340dc1a2f16279107d8805f18ea96755529f8e1b69af3
Opcode Fuzzy Hash: 0efdf2207836b885cf3e555012c48fde0d92f05c04f7c3da6e7d9b519d67834d
Instruction Fuzzy Hash: 1C21BC36608209AFDF00EFA8CC88CBA7BACFB08364B108525BE14EB250D670ED45C764

Function 005877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587868
SysAllocString.OLEAUT32(00000000), ref: 0058786B
SysAllocString.OLEAUT32 ref: 0058788C
SysFreeString.OLEAUT32 ref: 00587895
StringFromGUID2.OLE32(?,?,00000028), ref: 005878AF
SysAllocString.OLEAUT32(?), ref: 005878BD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1fe2deddc61415f35a83211478868f34272ee8ff46f83af411c9abf7a8281191
Instruction ID: 30334fe37c149904596df1050ff7c76efd836946e517a403e9cc19a201809ac6
Opcode Fuzzy Hash: 1fe2deddc61415f35a83211478868f34272ee8ff46f83af411c9abf7a8281191
Instruction Fuzzy Hash: 32218331608108AF9F50ABA8DC88DAA7BACFB5C3607108125B915DB2A1D670EC45DF64

Function 005904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0059052E

Strings

nul, xrefs: 00590567

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8b26e3e3b6465ef67aaeb7b950791993a0f1f6e01b7822fa4b43ca7ce6d8a530
Instruction ID: 6f5f5229c62ec905858a159b327b64dd53428f72133d861f4dcb89f0d21e8c20
Opcode Fuzzy Hash: 8b26e3e3b6465ef67aaeb7b950791993a0f1f6e01b7822fa4b43ca7ce6d8a530
Instruction Fuzzy Hash: 5F215A75500305AFDF209F29D844AAABFE8BF54764F614E29E8A1E62E0E7709944DF20

Function 005905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00590601

Strings

nul, xrefs: 00590639

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: aa74a45d8b119d789e87ece3397ec37f4c5911ac150372ae201a3237990aea44
Instruction ID: 62f8d6a58c60cae8da616bb4ecbada92df5628c0a6a985f7ab0efc8c7f6cd4f1
Opcode Fuzzy Hash: aa74a45d8b119d789e87ece3397ec37f4c5911ac150372ae201a3237990aea44
Instruction Fuzzy Hash: AE214F755003059FDF209F69DC04AAABFE8BF95724F241F19E8A1E72E0D7709960DB24

Function 005B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0052600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
Part of subcall function 0052600E: GetStockObject.GDI32(00000011), ref: 00526060
Part of subcall function 0052600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005B4145

Strings

Msctls_Progress32, xrefs: 005B40E3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f582b8574c5f7f5342cdd6c735728cb8f9312b9201be0178517b7f5c9ed70366
Instruction ID: 692bdb5f060accfd4feee7f335f7273adeba016f81e850251eb2a435992fb356
Opcode Fuzzy Hash: f582b8574c5f7f5342cdd6c735728cb8f9312b9201be0178517b7f5c9ed70366
Instruction Fuzzy Hash: DB11B2B215021EBEEF219F64CC85EE77F5DFF18798F004111BA18A6090C672AC21DBA4

Function 0055D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0055D7A3: _free.LIBCMT ref: 0055D7CC

_free.LIBCMT ref: 0055D82D

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055D838
_free.LIBCMT ref: 0055D843
_free.LIBCMT ref: 0055D897
_free.LIBCMT ref: 0055D8A2
_free.LIBCMT ref: 0055D8AD
_free.LIBCMT ref: 0055D8B8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3f12218ecf0da2bf3af5e083e6926c24b9b39d3037272608de4ce07e7c0bc6b0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B9115E72550705AAD531BFB0CC1AFCB7FBCFF85702F400816BA9DA6992D628A5494760

Function 0058DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0058DA74
LoadStringW.USER32(00000000), ref: 0058DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0058DA91
LoadStringW.USER32(00000000), ref: 0058DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0058DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0058DAB9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 01f3a9fb0e78abac9501652c6309bdda2ae898081f0b771645a38142fb01a063
Instruction ID: d6ae9fb98d9a605b244df617f9c938f8326788342d4a4c0be4fda9e307429a25
Opcode Fuzzy Hash: 01f3a9fb0e78abac9501652c6309bdda2ae898081f0b771645a38142fb01a063
Instruction Fuzzy Hash: E4018BF29002087FEB51ABA49D89EF73B6CE718301F500595B745F2041E674AD848F78

Function 0059096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00EBE6F0,00EBE6F0), ref: 0059097B
EnterCriticalSection.KERNEL32(00EBE6D0,00000000), ref: 0059098D
TerminateThread.KERNEL32(?,000001F6), ref: 0059099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005909A9
CloseHandle.KERNEL32(?), ref: 005909B8
InterlockedExchange.KERNEL32(00EBE6F0,000001F6), ref: 005909C8
LeaveCriticalSection.KERNEL32(00EBE6D0), ref: 005909CF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: eca15c047069eb4b5d69ab4e75fd2df975a9e65fbdf76ecc77c8f5bf47dfb378
Instruction ID: dff8c8c0a9e70edfa215b49e0e8a455113895c8a06db494a7a38eb2bbc15b251
Opcode Fuzzy Hash: eca15c047069eb4b5d69ab4e75fd2df975a9e65fbdf76ecc77c8f5bf47dfb378
Instruction Fuzzy Hash: 51F03131442512BFDB855F94EE8CBD6BF35FF11702F402526F141518A0C774A869DF94

Function 005A1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 005A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005A1DE1
WSAGetLastError.WSOCK32 ref: 005A1DF2
htons.WSOCK32(?), ref: 005A1EDB
inet_ntoa.WSOCK32(?), ref: 005A1E8C

Part of subcall function 005839E8: _strlen.LIBCMT ref: 005839F2

Part of subcall function 005A3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0059EC0C), ref: 005A3240

_strlen.LIBCMT ref: 005A1F35

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 291d6fe0cf1f25560a7c3364bb550a884899b21f62750b699998204c92122e51
Instruction ID: 70c8d5b3b30cf49ed9839b2974976525ebba351857a1c178ada221ee95a5f6fa
Opcode Fuzzy Hash: 291d6fe0cf1f25560a7c3364bb550a884899b21f62750b699998204c92122e51
Instruction Fuzzy Hash: 9FB1CC30204741AFC324DF24C899E2A7FA5BF86318F54894CF4565B2E2DB31ED46CBA1

Function 00525D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00525D30
GetWindowRect.USER32(?,?), ref: 00525D71
ScreenToClient.USER32(?,?), ref: 00525D99
GetClientRect.USER32(?,?), ref: 00525ED7
GetWindowRect.USER32(?,?), ref: 00525EF8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f1cc8537f967f97939f49a1a840d0c29f67a99a8f97138c4647521ccee309ae5
Instruction ID: 9b8b45806320845b435d7a0b44a8ee7ea03964d853da30ede66ee5a496b75979
Opcode Fuzzy Hash: f1cc8537f967f97939f49a1a840d0c29f67a99a8f97138c4647521ccee309ae5
Instruction Fuzzy Hash: CCB17C34A0064ADBDB14CFA8C4807EEBBF5FF54310F14891AE8A9D7290E730AA51DB54

Function 005501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005500D6
__allrem.LIBCMT ref: 005500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0055010B
__allrem.LIBCMT ref: 00550122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00550140

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 90d44d1fc03783f429a0cf382165cb5dcb71cf7ee453a8cc1e7b8cc513e35bd0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2981F772A00B06ABE7249F28CC59BAB7BE8BF81325F24453BF811D76C1E770D9088751

Function 005561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005482D9,005482D9,?,?,?,0055644F,00000001,00000001,8BE85006), ref: 00556258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0055644F,00000001,00000001,8BE85006,?,?,?), ref: 005562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005563D8
__freea.LIBCMT ref: 005563E5

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

__freea.LIBCMT ref: 005563EE
__freea.LIBCMT ref: 00556413

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 38abecfe43b874bb87817a917a463badf655ae9f7379b664e57f76972b4668c2
Instruction ID: fe5d813e252220dfd51fba797107032cd88f4ddf262dfa2fe56fb977323dd26f
Opcode Fuzzy Hash: 38abecfe43b874bb87817a917a463badf655ae9f7379b664e57f76972b4668c2
Instruction Fuzzy Hash: FB510172600246ABEB258F64CCA5EAF7FA9FB84751F564A2AFC05D7140EB34DC48C660

Function 005ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005ABD25
RegCloseKey.ADVAPI32(00000000), ref: 005ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005ABDF3
RegCloseKey.ADVAPI32(?), ref: 005ABDFF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1e0698781381825040a18139a21593fef8835a09468d7fac31234e268b261ddf
Instruction ID: c23463314fa766a41c36a031a5c72ef339e5d66cc60cba3010c4b554bf714d3c
Opcode Fuzzy Hash: 1e0698781381825040a18139a21593fef8835a09468d7fac31234e268b261ddf
Instruction Fuzzy Hash: FE818F70208242AFD714DF24C895E6ABFE5FF86308F14895CF4554B2A2DB31ED45CB92

Function 0057F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0057F7B9
SysAllocString.OLEAUT32(00000001), ref: 0057F860
VariantCopy.OLEAUT32(0057FA64,00000000), ref: 0057F889
VariantClear.OLEAUT32(0057FA64), ref: 0057F8AD
VariantCopy.OLEAUT32(0057FA64,00000000), ref: 0057F8B1
VariantClear.OLEAUT32(?), ref: 0057F8BB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fe81f62f67196fcfe98bd4871879b8d99714a65898705cdd796a62b77088958a
Instruction ID: 339837e371e0f204d1dfeb43f3e76fad67a45db00d536ff5b73d823e6e42d5fc
Opcode Fuzzy Hash: fe81f62f67196fcfe98bd4871879b8d99714a65898705cdd796a62b77088958a
Instruction Fuzzy Hash: 3E51D831500311BACF10EB65F899B69BBA8FF95310F24D866F909EF291DB709C40E766

Function 0059910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005994E5
_wcslen.LIBCMT ref: 00599506
_wcslen.LIBCMT ref: 0059952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00599585

Strings

X, xrefs: 00599412

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ca460f4685a5cd6924d273269fe35876789d7f61a79317db4eba8bb4020ed0bb
Instruction ID: d588a2c74e7afcba920a1dbf1d6663a057cc05898b988c7a02bc04c4f325244e
Opcode Fuzzy Hash: ca460f4685a5cd6924d273269fe35876789d7f61a79317db4eba8bb4020ed0bb
Instruction Fuzzy Hash: F6E1C3316043518FDB24DF28D485A6ABBE4BFC5314F04896CF8899B2A2EB31DD05CB92

Function 0053920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

BeginPaint.USER32(?,?,?), ref: 00539241
GetWindowRect.USER32(?,?), ref: 005392A5
ScreenToClient.USER32(?,?), ref: 005392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005392D3
EndPaint.USER32(?,?,?,?,?), ref: 00539321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005771EA

Part of subcall function 00539339: BeginPath.GDI32(00000000), ref: 00539357

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ec27c95d0c4bf5239ef87194e2fd336aa1fc90dd4a9cf9dfc6d5056531cfb605
Instruction ID: a70d723743df2cef06786199bedf2cd8d249be5c727fe86ca6155e8c126d5ece
Opcode Fuzzy Hash: ec27c95d0c4bf5239ef87194e2fd336aa1fc90dd4a9cf9dfc6d5056531cfb605
Instruction Fuzzy Hash: DB41AEB0104601AFD711DF28D884FBA7FA8FB99320F140669F995D72A1C7B1A849EB61

Function 005907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0059080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00590847
EnterCriticalSection.KERNEL32(?), ref: 00590863
LeaveCriticalSection.KERNEL32(?), ref: 005908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00590921

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 4866a9c31e988702690b649bc4166cc4f79fcb38bf7d691d73c2934fde9fa8b2
Instruction ID: 18289d33714260a21b1f48c4bae703f0f3a7bc956bcfa847efe4d3401cc2ad29
Opcode Fuzzy Hash: 4866a9c31e988702690b649bc4166cc4f79fcb38bf7d691d73c2934fde9fa8b2
Instruction Fuzzy Hash: DE415971A00206AFDF149F54DC85AAABB78FF44314F1444A9ED00AA296D730EE64EBA4

Function 00584C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00584C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00584CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00584CEA
_wcslen.LIBCMT ref: 00584D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00584D10
_wcsstr.LIBVCRUNTIME ref: 00584D1A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9e0a1dde38e7a34abf8178f3b1ca0c5ddc84ae9b1a6d5cd9ae48dcf36414b15f
Instruction ID: 2ae198a13bff307323f1e0c7cd1d9c8d88fdf1538d11364e1f4e36217b6172c4
Opcode Fuzzy Hash: 9e0a1dde38e7a34abf8178f3b1ca0c5ddc84ae9b1a6d5cd9ae48dcf36414b15f
Instruction Fuzzy Hash: B4212932605202BBEB556B39DC09E7B7F9CEF45750F104029FC05DE191EA61DC009BA0

Function 0059581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

_wcslen.LIBCMT ref: 0059587B
CoInitialize.OLE32(00000000), ref: 00595995
CoCreateInstance.OLE32(005BFCF8,00000000,00000001,005BFB68,?), ref: 005959AE
CoUninitialize.OLE32 ref: 005959CC

Strings

.lnk, xrefs: 00595876, 005958C1, 00595985

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3b50badbb25745b40c61b37dd51a20ef0c55fa6830df480fab16e06b3990d968
Instruction ID: 0584bb36d8d77a450fb01dc387ebc26c48922bdaf639e7646d658081a7806e4c
Opcode Fuzzy Hash: 3b50badbb25745b40c61b37dd51a20ef0c55fa6830df480fab16e06b3990d968
Instruction Fuzzy Hash: 3ED175716047119FCB05DF24C484A2ABBE6FF89714F14485DF88A9B3A1EB31EC05CB92

Function 0058175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00580FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00580FCA
Part of subcall function 00580FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00580FD6
Part of subcall function 00580FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00580FE5
Part of subcall function 00580FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00580FEC
Part of subcall function 00580FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00581002

GetLengthSid.ADVAPI32(?,00000000,00581335), ref: 005817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005817BA
HeapAlloc.KERNEL32(00000000), ref: 005817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005817DA
GetProcessHeap.KERNEL32(00000000,00000000,00581335), ref: 005817EE
HeapFree.KERNEL32(00000000), ref: 005817F5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c6a3459b4cf3c6a80353bf667bacdd1d8f36bbf1dd4df81ac3de839058022517
Instruction ID: a73f7efd8c3dea4e2594fdf3f2cac9545ad60a7b1fd00a2a13196822ad6f3a95
Opcode Fuzzy Hash: c6a3459b4cf3c6a80353bf667bacdd1d8f36bbf1dd4df81ac3de839058022517
Instruction Fuzzy Hash: CE119A72600605EBDB14AFA8DC49BAE7FADFB41355F104119F881F7210C735A949DB68

Function 005814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00581506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00581515
CloseHandle.KERNEL32(00000004), ref: 00581520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0058154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00581563

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5ccdd155bf9956b2afc1cf4fbce782cd73e75ca461216826e93d6ad9b23ef96b
Instruction ID: 94bc9c7088693934c177abe84add4134b1585661ea37ee4a1d9ddb8a95f43197
Opcode Fuzzy Hash: 5ccdd155bf9956b2afc1cf4fbce782cd73e75ca461216826e93d6ad9b23ef96b
Instruction Fuzzy Hash: 5911447250420DABDF119FA8ED49FDE7FADFB48704F044128FE05A2060C3719E65AB68

Function 00543382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00543379,00542FE5), ref: 00543390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0054339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005433B7
SetLastError.KERNEL32(00000000,?,00543379,00542FE5), ref: 00543409

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 131d74eef7c7decb65b82de9b1f2ecbf32ff4a7a9028ef67a3dd9c7186879bf8
Instruction ID: 1e42f2413ae754b9ef87eea5820330eba87fbce4915cf6f7373568ba25f8d18a
Opcode Fuzzy Hash: 131d74eef7c7decb65b82de9b1f2ecbf32ff4a7a9028ef67a3dd9c7186879bf8
Instruction Fuzzy Hash: 2201D833609313BEAB1D2B747CCD5DB2EA4FB6577D7200629F421851F1EF119E0AA544

Function 00552D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00555686,00563CD6,?,00000000,?,00555B6A,?,?,?,?,?,0054E6D1,?,005E8A48), ref: 00552D78
_free.LIBCMT ref: 00552DAB
_free.LIBCMT ref: 00552DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0054E6D1,?,005E8A48,00000010,00524F4A,?,?,00000000,00563CD6), ref: 00552DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0054E6D1,?,005E8A48,00000010,00524F4A,?,?,00000000,00563CD6), ref: 00552DEC
_abort.LIBCMT ref: 00552DF2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fd81ff9a42e8184a0c56bbbd7790cba57fa3f6dca096fb29953155822ebca178
Instruction ID: 864f3cf40d1bc2b1eb4bc63ea831c2b4e1f29a26819b9d9e2a925165ff3bf6fb
Opcode Fuzzy Hash: fd81ff9a42e8184a0c56bbbd7790cba57fa3f6dca096fb29953155822ebca178
Instruction Fuzzy Hash: D0F08636504A0167C35627246C2AE5A2E757BD37A3F24451BFC2992192DE24984F5360

Function 005B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00539639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396A2
Part of subcall function 00539639: BeginPath.GDI32(?), ref: 005396B9
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005B8A70
LineTo.GDI32(?,00000000,00000003), ref: 005B8A80
EndPath.GDI32(?), ref: 005B8A90
StrokePath.GDI32(?), ref: 005B8AA0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fe788013630029c0481fb851b2a9a991f21c7b65a7082156d62d175186edfe25
Instruction ID: 8411b70163eedc0b04371913744567bf69f19a835fea9c5899d2531e9f1f4e6a
Opcode Fuzzy Hash: fe788013630029c0481fb851b2a9a991f21c7b65a7082156d62d175186edfe25
Instruction Fuzzy Hash: 9711097640010DFFDB129F94DC88EAA7F6CEB18350F008152BA199A1A1C771AD59EFA4

Function 005851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00585218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00585229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00585230
ReleaseDC.USER32(00000000,00000000), ref: 00585238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0058524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00585261

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3d3bc3c76d8ad4fae09acb0cf60fc811326164e26ec2658b606753398e6c57ee
Instruction ID: fdefd06ffa27982b2cd8658f81c18eda1ea0d795320d0fb4526ba3ae866a9d32
Opcode Fuzzy Hash: 3d3bc3c76d8ad4fae09acb0cf60fc811326164e26ec2658b606753398e6c57ee
Instruction Fuzzy Hash: EB01A275E00708BBEB10AFA99C49E5EBFB8FF58351F044165FA05A7280DA709C04DFA4

Function 00521BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00521BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00521BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00521C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00521C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00521C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00521C22

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8983c864ea2224f3074eed8c37c80f1cf1d4246c932c9ab851aa404352639fdb
Instruction ID: 6e3e47d1e2ec30ad445839c6b735c5f40918ff3be7c1f8a94232bec8e8d77f6b
Opcode Fuzzy Hash: 8983c864ea2224f3074eed8c37c80f1cf1d4246c932c9ab851aa404352639fdb
Instruction Fuzzy Hash: 95016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A864CBE5

Function 0058EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0058EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0058EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0058EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB75

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 92c769172a684d6a47b0a829d0cb4aee8744cfa8f2870dac1c285e35811ed1d5
Instruction ID: 4644303925b1551b6a649f18666a6b5693e8aa88e4cbe4c0085367221f08af52
Opcode Fuzzy Hash: 92c769172a684d6a47b0a829d0cb4aee8744cfa8f2870dac1c285e35811ed1d5
Instruction Fuzzy Hash: 83F05472140158BBE7615B569C0EEEF3F7CEFDBB11F000259FA01E5091E7A06A05D6B9

Function 00577439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00577452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00577469
GetWindowDC.USER32(?), ref: 00577475
GetPixel.GDI32(00000000,?,?), ref: 00577484
ReleaseDC.USER32(?,00000000), ref: 00577496
GetSysColor.USER32(00000005), ref: 005774B0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c50556ad5d7697494c66b3772012cebe4fddaf3c78e7ae0cd9c0667a29447c7d
Instruction ID: 0e889c0c77f7d253007fb4504f5d24222ba26fc799ba1877419ad10144191433
Opcode Fuzzy Hash: c50556ad5d7697494c66b3772012cebe4fddaf3c78e7ae0cd9c0667a29447c7d
Instruction Fuzzy Hash: 2B018B31400209EFDB905F68EC08FAA7FB6FB18311F6146A4F91AA20A0CB312E45FB14

Function 00581874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0058187F
UnloadUserProfile.USERENV(?,?), ref: 0058188B
CloseHandle.KERNEL32(?), ref: 00581894
CloseHandle.KERNEL32(?), ref: 0058189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005818A5
HeapFree.KERNEL32(00000000), ref: 005818AC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5f59e63690fff0f947412f9fc1f9f236a32d51af231c8bf79f4180fd58da4fc
Instruction ID: 47ac40039174e12b3e83dba1a7fdc89dd196940b44b88f4016afd0d9dc15f996
Opcode Fuzzy Hash: d5f59e63690fff0f947412f9fc1f9f236a32d51af231c8bf79f4180fd58da4fc
Instruction Fuzzy Hash: 6EE0E576004101BBDB815FA5ED0C90ABF79FF69B22B508725F22591070CB32A424EF68

Function 005A7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00540242: EnterCriticalSection.KERNEL32(005F070C,005F1884,?,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054024D
Part of subcall function 00540242: LeaveCriticalSection.KERNEL32(005F070C,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054028A

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

__Init_thread_footer.LIBCMT ref: 005A7BFB

Part of subcall function 005401F8: EnterCriticalSection.KERNEL32(005F070C,?,?,00538747,005F2514), ref: 00540202
Part of subcall function 005401F8: LeaveCriticalSection.KERNEL32(005F070C,?,00538747,005F2514), ref: 00540235

Strings

5, xrefs: 005A7C78
+TW, xrefs: 005A7E2E
G, xrefs: 005A7C7F
Variable must be of type 'Object'., xrefs: 005A7C3A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TW$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2763875210
Opcode ID: f1f24362de9efaaf2492696191c6e335b5b7582bf9c1b193b9f7136298b90fa5
Instruction ID: 24978a0a1fe812fb697f7b221103668c3ab6f137581debe77b8432cba300daf5
Opcode Fuzzy Hash: f1f24362de9efaaf2492696191c6e335b5b7582bf9c1b193b9f7136298b90fa5
Instruction Fuzzy Hash: 60918A70A0420AEFCB04EF54D8959BDBFB5BF8A300F108459F806AB292DB71AE45CB50

Function 0058C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0058C6EE
_wcslen.LIBCMT ref: 0058C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0058C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0058C7CA

Strings

0, xrefs: 0058C6AF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e38909fb12f0aff104e0676b636887bc0fa8bb0713ccc2548fcfe11e81968eb8
Instruction ID: 996b78382c161752440cc2c09acadde52c0f31451a097468fada14ef2956647d
Opcode Fuzzy Hash: e38909fb12f0aff104e0676b636887bc0fa8bb0713ccc2548fcfe11e81968eb8
Instruction Fuzzy Hash: 2A51CE716143019BD754AF28C889A7A7FE8FF89314F040A2DFD95E31E0EB74D9049BA6

Function 005AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005AAEA3

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

GetProcessId.KERNEL32(00000000), ref: 005AAF38
CloseHandle.KERNEL32(00000000), ref: 005AAF67

Strings

@, xrefs: 005AAE72
<, xrefs: 005AAE6B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b238ccf122cbf9d545ac7217c1e70772066de964c7d1188ebadddac7863e5273
Instruction ID: 8fee640a7de249e7fa69f3150908993935be42d36c38773916c8a2ee982adbe4
Opcode Fuzzy Hash: b238ccf122cbf9d545ac7217c1e70772066de964c7d1188ebadddac7863e5273
Instruction Fuzzy Hash: 1F717775A0022ADFCB14DF54D488A9EBFF4BF4A300F048499E856AB392D730ED45CB91

Function 005B6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005B62E2
ScreenToClient.USER32(?,?), ref: 005B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005B6382

Strings

(_, xrefs: 005B62B1, 005B63AC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: (_
API String ID: 3880355969-3503187703
Opcode ID: a9d4c70b4faa8ccc045a6de70e39e0b5fef3f825e2b02edd8feeceb4bbc5b66d
Instruction ID: 0e52781348d57314a283f9fbdaafb56aadf7419c1c1b1faebd277c632d5cf861
Opcode Fuzzy Hash: a9d4c70b4faa8ccc045a6de70e39e0b5fef3f825e2b02edd8feeceb4bbc5b66d
Instruction Fuzzy Hash: 81514774A00609EFDB10CF68D880AEE7BB5FB95360F108669F9159B2A0D734ED81CB90

Function 0058719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00587206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0058723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0058724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005872CF

Strings

DllGetClassObject, xrefs: 00587242

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 559a923d6c017c93809e4d0e6568749c39fe035af05318284e74831bbd672a1d
Instruction ID: 18621d0e355e6d26faee7582ee88bfb1732ac71c4fe81b2dd15d6998668bc44a
Opcode Fuzzy Hash: 559a923d6c017c93809e4d0e6568749c39fe035af05318284e74831bbd672a1d
Instruction Fuzzy Hash: D1418275604208DFDB15DF54C884A9A7FA9FF88310F2484A9BD06AF21AD7B0DA44DBA0

Function 005B52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005B5352
GetWindowLongW.USER32(?,000000F0), ref: 005B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005B53A8

Strings

(_, xrefs: 005B52F1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: (_
API String ID: 3340791633-3503187703
Opcode ID: f525865cc99a0db70dbec33bb434d7752697dc070d172dec0491911efe524b5b
Instruction ID: 244a1769a65a713493141e0f1ab65dc1717e123fd64309d88417412ba33503ec
Opcode Fuzzy Hash: f525865cc99a0db70dbec33bb434d7752697dc070d172dec0491911efe524b5b
Instruction Fuzzy Hash: 5931C634A55A08EFEB389E14CC55FE87FE5BB04390F944901FA11963E1E7B5B980E741

Function 005B7674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005B769A
GetWindowRect.USER32(?,?), ref: 005B7710
PtInRect.USER32(?,?,005B8B89), ref: 005B7720
MessageBeep.USER32(00000000), ref: 005B778C

Strings

(_, xrefs: 005B76D6, 005B7733

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: (_
API String ID: 1352109105-3503187703
Opcode ID: 31d36dfc95ae0c86085fef0b5ebcacf70908744fdace559e1df080857c4b3a48
Instruction ID: 5fd5f3eb6f63385a4966ee72d9b45d07d483d42796a88ecfdba7ea1087ac76e7
Opcode Fuzzy Hash: 31d36dfc95ae0c86085fef0b5ebcacf70908744fdace559e1df080857c4b3a48
Instruction Fuzzy Hash: 34418734A09219EFCB11CF58C894EE9BBF4FB98300F1941A8E815DB261CB70B946DB90

Function 00581DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00581E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00581E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00581EA9

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Strings

ComboBox, xrefs: 00581DF0
ListBox, xrefs: 00581E25

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ef807b0eb9d8ae5c074428aa3ddb27206f84bcda133259cb164bf267dbad620f
Instruction ID: e97062e20b98896d071692c23f0226c61e7aaecad8e7e327a7fd8762555ded74
Opcode Fuzzy Hash: ef807b0eb9d8ae5c074428aa3ddb27206f84bcda133259cb164bf267dbad620f
Instruction Fuzzy Hash: DA21E171A00105AADB14AB64EC49CFFBFACBF96390F144529FC25BB2E1DB744D0A9724

Function 005B4653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005B471A

Strings

msctls_updown32, xrefs: 005B4684
(_, xrefs: 005B46D0, 005B46EF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: (_$msctls_updown32
API String ID: 4014797782-3480266186
Opcode ID: 5d38a2fafd6450b2e12b86a9401480a9b255a4d3e3f676fe148f19564aab2da3
Instruction ID: 85978dd5f08c2afb0a180bb0317e9abb773f97ca0223def0ff77db838fb0ae47
Opcode Fuzzy Hash: 5d38a2fafd6450b2e12b86a9401480a9b255a4d3e3f676fe148f19564aab2da3
Instruction Fuzzy Hash: 5A215EB5600209AFDB10DF68DC85DB73BADFF9A3A4B140059FA019B291CB71FC12DA60

Function 005B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005B2F8D
LoadLibraryW.KERNEL32(?), ref: 005B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005B2FA9
DestroyWindow.USER32(?), ref: 005B2FB1

Strings

SysAnimate32, xrefs: 005B2F68

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0a48356a758a0cbb6efa8940e4807d654f7b111ef51eb04e64e415b569b1cb70
Instruction ID: 11febc03718f3efa59e81ff0b71da3b308a8720d1d007271ba9065eed5db3e3e
Opcode Fuzzy Hash: 0a48356a758a0cbb6efa8940e4807d654f7b111ef51eb04e64e415b569b1cb70
Instruction Fuzzy Hash: 0C219A71210209ABEF104F64DC8AEFB7BB9FB59364F100618F950D6190D771EC51AB70

Function 005B8FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

GetCursorPos.USER32(?), ref: 005B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00577711,?,?,?,?,?), ref: 005B9016
GetCursorPos.USER32(?), ref: 005B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00577711,?,?,?), ref: 005B9094

Strings

(_, xrefs: 005B902E, 005B9064

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (_
API String ID: 2864067406-3503187703
Opcode ID: 8912b9829978bdeeb6effdcd7a2c7c4ee46c3b6ed03f6e744085bbcde17f7169
Instruction ID: bf334b42a4958d5d532667669d7f174deb9f371802c0cb91b4c6d0eb770f51a0
Opcode Fuzzy Hash: 8912b9829978bdeeb6effdcd7a2c7c4ee46c3b6ed03f6e744085bbcde17f7169
Instruction Fuzzy Hash: 06219F35600018EFCB259F94C898EFA7FB9FB8A350F144155FA058B2A1C375A950EB60

Function 00544D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00544D1E,005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002), ref: 00544D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00544DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00544D1E,005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000), ref: 00544DC3

Strings

mscoree.dll, xrefs: 00544D86
CorExitProcess, xrefs: 00544D98

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a362d90ce26e4fdfdae099efa1f9fa05145b71f903f0dbdd4f5a8d2f2280c067
Instruction ID: d5d6c67841c1e5d500fb4c4f34fda5363472a6c50ae47cc77a062b9d596957d5
Opcode Fuzzy Hash: a362d90ce26e4fdfdae099efa1f9fa05145b71f903f0dbdd4f5a8d2f2280c067
Instruction Fuzzy Hash: 59F0AF34A40208BBDB149F94DC49BEDBFF8FF54715F0001A8F809A62A0CB70A945DF94

Function 00524E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524EAE
FreeLibrary.KERNEL32(00000000,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00524EA8
kernel32.dll, xrefs: 00524E94

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a55a89c0291d3face66b0093214304e8eff2c21decf66561332f4a148312c23a
Instruction ID: 5c0d92b3c0823a24a9cde40cc7e29a98b99df46f9e4a96540feb2968b0613a96
Opcode Fuzzy Hash: a55a89c0291d3face66b0093214304e8eff2c21decf66561332f4a148312c23a
Instruction Fuzzy Hash: C9E08636A016325BE2711729BC18A5F6E5CBF93F627060215FC00E2240DBA0DD0694A5

Function 00524E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524E74
FreeLibrary.KERNEL32(00000000,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00524E6E
kernel32.dll, xrefs: 00524E5B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 6d08b9620f01d0fb15a2a86c9ef6d8528c18039483bb8856064aff0e58e5948e
Instruction ID: dafec29e41676dd36853013663d7dc7f962c972c436fe341ae9f41ff5b918cbf
Opcode Fuzzy Hash: 6d08b9620f01d0fb15a2a86c9ef6d8528c18039483bb8856064aff0e58e5948e
Instruction Fuzzy Hash: 64D0C23150263257AA221B297C0CD8F2E1CBF82B113060611F800B6260CF60DD02D9E9

Function 00592947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592C05
DeleteFileW.KERNEL32(?), ref: 00592C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00592C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592CC0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0910d3e26e6bd692defb00c95d125e4144c78389d49b3798eeb93646788db6bd
Instruction ID: f68160179dfd5e0d00b272aee2c39330fe315a401bfffc3f658aa815485eeb86
Opcode Fuzzy Hash: 0910d3e26e6bd692defb00c95d125e4144c78389d49b3798eeb93646788db6bd
Instruction Fuzzy Hash: 6FB11C72D0012ABBDF25DBA4CC89EDEBBBDFF49354F1040A6F509E6151EA309E448B61

Function 005AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 005AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005AA468
CloseHandle.KERNEL32(?), ref: 005AA63D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5f571daaee9ae377e2f822f4b4ec0c24ccdcbd8beaec07be65db8dd25c9afbba
Instruction ID: c7767dc5406385d92ec213379eb40dbf9b7cc422fa9702a07ace5cfe6ab88e49
Opcode Fuzzy Hash: 5f571daaee9ae377e2f822f4b4ec0c24ccdcbd8beaec07be65db8dd25c9afbba
Instruction Fuzzy Hash: 7BA18D716043019FDB20DF24D886B2ABBE5BF89714F14881DF55A9B2D2D7B0ED41CB92

Function 0055BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005C3700), ref: 0055BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0055BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005F1270,000000FF,?,0000003F,00000000,?), ref: 0055BC36
_free.LIBCMT ref: 0055BB7F

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055BD4B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f83d9cc2dc6855cc8cd161945213338040f0bcd765bf4acb4003d9beb82d5f2a
Instruction ID: 9fb41806f2b0cc6c304fca5d41d4b97ed6fa7688d8c6f2782c748bfb760418fc
Opcode Fuzzy Hash: f83d9cc2dc6855cc8cd161945213338040f0bcd765bf4acb4003d9beb82d5f2a
Instruction Fuzzy Hash: 76512B7180020ADFEB10DFA58C999BEBFB8FF80321B10066BE850E7191EB709E48D754

Function 0058E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0058CF22,?), ref: 0058DDFD

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0058CF22,?), ref: 0058DE16

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

lstrcmpiW.KERNEL32(?,?), ref: 0058E473
MoveFileW.KERNEL32(?,?), ref: 0058E4AC
_wcslen.LIBCMT ref: 0058E5EB
_wcslen.LIBCMT ref: 0058E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0058E650

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a54b9571d313fefd132ab0e9835860fe8989724d5c2e05322e97450f418d4787
Instruction ID: 77a2e215aa7a4fa3fa08b6db0be289889d0a73ff7cafd232a14846425f8d770b
Opcode Fuzzy Hash: a54b9571d313fefd132ab0e9835860fe8989724d5c2e05322e97450f418d4787
Instruction Fuzzy Hash: 775194B24083455BD724EB90D8869DFBBECBFC5344F00092EF989E3191EF75A5888766

Function 005AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005ABB63
RegCloseKey.ADVAPI32(?,?), ref: 005ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 005ABBB3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 65647e9285f1d710664d47db9ce818fbf8be69e901018deee040f83205264b27
Instruction ID: 374a91f98a519e5a2b01b11d1629191f5cd54a51b8b3a5ebb1d1cd1beb00b438
Opcode Fuzzy Hash: 65647e9285f1d710664d47db9ce818fbf8be69e901018deee040f83205264b27
Instruction Fuzzy Hash: 7461A231208245AFD714DF14C494E2ABFE5FF86308F14895CF4998B2A2DB31ED45CBA2

Function 00588BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00588BCD
VariantClear.OLEAUT32 ref: 00588C3E
VariantClear.OLEAUT32 ref: 00588C9D
VariantClear.OLEAUT32(?), ref: 00588D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00588D3B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8058ac2d7265c30a92503b199e84e4b71c67ebe218d93dc1cb599219141c94d3
Instruction ID: d181e8deed7f8186bdefd306a39c25b74326e71b8558c9de7009156a1902793f
Opcode Fuzzy Hash: 8058ac2d7265c30a92503b199e84e4b71c67ebe218d93dc1cb599219141c94d3
Instruction Fuzzy Hash: F85169B5A01219EFCB14DF68C894AAABBF8FF89310B158559ED05EB354E730E911CF90

Function 00598AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00598BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00598BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00598C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00598C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00598C5F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5dd8c8d956c749dcad5ceb20baf551b247f43a198212112c76bc486ad22b25f6
Instruction ID: 76a7e9d7725fe861352df056d29411af3c28bd007cd0948bec61cc79718d6633
Opcode Fuzzy Hash: 5dd8c8d956c749dcad5ceb20baf551b247f43a198212112c76bc486ad22b25f6
Instruction Fuzzy Hash: 2E513835A002199FCB05DF64C885A69BBF5FF89314F088458E849AB3A2DB35ED51DB90

Function 005A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 005A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 005A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 005A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 005A9032
FreeLibrary.KERNEL32(00000000), ref: 005A9052

Part of subcall function 0053F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00591043,?,7644E610), ref: 0053F6E6
Part of subcall function 0053F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0057FA64,00000000,00000000,?,?,00591043,?,7644E610,?,0057FA64), ref: 0053F70D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f5bc57558b8b90a9dfd35b7dc908e1cf6052ae0ed5964cfb73534c5e365b02ce
Instruction ID: 2327bbf0230121725cd9d25604984c03c2550a0f4da7c0831842b731047de43a
Opcode Fuzzy Hash: f5bc57558b8b90a9dfd35b7dc908e1cf6052ae0ed5964cfb73534c5e365b02ce
Instruction Fuzzy Hash: 66511935604216DFC715DF58C4988ADBFB1FF8A314F0881A9E816AB362DB31ED85CB90

Function 00552051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005520C3
_free.LIBCMT ref: 005520E3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74cbd2d9a4537f25b8b6ab948c0e8d65a15d62f47aa0afc2332fa56d86610490
Instruction ID: 6660d7b20255ad0e2e77255ef05003e2613651b1c5fccc8721ac94554bb3e2e2
Opcode Fuzzy Hash: 74cbd2d9a4537f25b8b6ab948c0e8d65a15d62f47aa0afc2332fa56d86610490
Instruction Fuzzy Hash: 6741D232A002009FCB24DF78C995A5EBBB5FF8A314F15456AE915EB3A1D731ED05DB80

Function 0053912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00539141
ScreenToClient.USER32(00000000,?), ref: 0053915E
GetAsyncKeyState.USER32(00000001), ref: 00539183
GetAsyncKeyState.USER32(00000002), ref: 0053919D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 332512103cae5ad2b1ae150693f490b3a4a35227cbace9fa9d7096e0c486874c
Instruction ID: 3e2232b8b08684002578e5e8e2c0e4b71c23f226704c290178a9d1d7ef64302d
Opcode Fuzzy Hash: 332512103cae5ad2b1ae150693f490b3a4a35227cbace9fa9d7096e0c486874c
Instruction Fuzzy Hash: ED415E71A0850BBBDF159F64D848BEEBB74FB49320F208219E429A2290C7706954DFA1

Function 00593874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00593922
TranslateMessage.USER32(?), ref: 0059394B
DispatchMessageW.USER32(?), ref: 00593955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00593966

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cd8ad67ac7fa226325017e3fd0267d4b1b7e479907640bbdc30029e90ad5ec75
Instruction ID: a27855e6102014b3c9977e957fc296af2367682c83a06018b4aac20120476877
Opcode Fuzzy Hash: cd8ad67ac7fa226325017e3fd0267d4b1b7e479907640bbdc30029e90ad5ec75
Instruction Fuzzy Hash: 2C31A270904642DEEF35CF249848BB63FA8FB25344F04096DE466C61E0E7A8AA89DB15

Function 0059CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0059CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFF2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 72b83cd58779f6f24f1b1bf8c91bba0818af22887439362b359ce5f0c2f5e950
Instruction ID: 22ad52cf27ff762079aafeedc7baf63d2c0b9b5bc9cd26337e53814d2f8e7765
Opcode Fuzzy Hash: 72b83cd58779f6f24f1b1bf8c91bba0818af22887439362b359ce5f0c2f5e950
Instruction Fuzzy Hash: E2315971A00206EFDF20DFA5C888AABBFF9FB54354B10442EF506D2241EB30AE44DB60

Function 00581901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00581915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005819E2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5d39cfbcd0157e1378332716c296ad2b57eb0b549a3ba1d4b835281dd88e5102
Instruction ID: 36a57f4aafb68e11eba5f1d76942dd8ccb27bd707a27f19d1fd1f94ef7338621
Opcode Fuzzy Hash: 5d39cfbcd0157e1378332716c296ad2b57eb0b549a3ba1d4b835281dd88e5102
Instruction Fuzzy Hash: 5D31BE71A00219EFCB00DFACC999AAE3FB9FB04314F104225FD61AB2D0C770A945DB94

Function 005B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005B579D
_wcslen.LIBCMT ref: 005B57AF
_wcslen.LIBCMT ref: 005B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005B5816

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: eb298b1d412883f406c124e79d12785b1d1eab32d099494e14e128b99e798f4c
Instruction ID: 25620522a1285fbde66eef9d3b03ba70434b2ad870ff7c21f770f42df0c5e10c
Opcode Fuzzy Hash: eb298b1d412883f406c124e79d12785b1d1eab32d099494e14e128b99e798f4c
Instruction Fuzzy Hash: 38217171904618EADB209FA4CC85BEE7FB8FF54764F108616F929EB180E770A985CF50

Function 005A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005A0951
GetForegroundWindow.USER32 ref: 005A0968
GetDC.USER32(00000000), ref: 005A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 005A09B0
ReleaseDC.USER32(00000000,00000003), ref: 005A09E8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e83ae86ae193bffe878daa2d6d7658563261eea7667f72ed53ae1575e2bdd25e
Instruction ID: d6aa29661abe00e4492aa8dd87894fa44e74fc5e70aa6bf6c8ef2c86cdd071c2
Opcode Fuzzy Hash: e83ae86ae193bffe878daa2d6d7658563261eea7667f72ed53ae1575e2bdd25e
Instruction Fuzzy Hash: F7216235600214AFDB44EF69D949A5EBFE9FF85700F048568E84A97792DB30AC04DB50

Function 0055CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0055CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0055CDE9

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0055CE0F
_free.LIBCMT ref: 0055CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0055CE31

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b8de0a813d73667e43b941f90edad676d8d457d6de68245f60f4b152db795662
Instruction ID: ed66ebb59d7383905ac402f9b42650d98064af381dbcecc8b2a338f74ff4a443
Opcode Fuzzy Hash: b8de0a813d73667e43b941f90edad676d8d457d6de68245f60f4b152db795662
Instruction Fuzzy Hash: 0D01FC726013157F232216BA6C5EC7F7D6DFEC7BA2315022BFD05D7200DA619D0991B4

Function 00539639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
SelectObject.GDI32(?,00000000), ref: 005396A2
BeginPath.GDI32(?), ref: 005396B9
SelectObject.GDI32(?,00000000), ref: 005396E2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e7f99f4d4f8b5d34093a73da8ea2b0a4fbde4337ba6e9ac5b0873cd9d83b0368
Instruction ID: 97a9d93d791892336cf30f5931193b7792d6e4c23eab83a4a9cec6c905423b0e
Opcode Fuzzy Hash: e7f99f4d4f8b5d34093a73da8ea2b0a4fbde4337ba6e9ac5b0873cd9d83b0368
Instruction Fuzzy Hash: 94217FB0802709EBDB119F69EE197B93FA8BB60315F104616F410E61A0D3F45899EFD8

Function 00585711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00585726
_memcmp.LIBVCRUNTIME ref: 00585744
_memcmp.LIBVCRUNTIME ref: 00585757
_memcmp.LIBVCRUNTIME ref: 0058576F
_memcmp.LIBVCRUNTIME ref: 00585787

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 78e7d8d841ee572913f3f8f3f355d4829d85a90800476f83d49baac30a6fe80f
Instruction ID: 5822570213de437c4b8494430ab3721cfe4ecb1a6cd4eb617b2c939b48d7ba26
Opcode Fuzzy Hash: 78e7d8d841ee572913f3f8f3f355d4829d85a90800476f83d49baac30a6fe80f
Instruction Fuzzy Hash: AA019275645A0ABBE20865109D82EFA7F5CFB613D8F408420FE05EA241F660FD5083A8

Function 00552DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6), ref: 00552DFD
_free.LIBCMT ref: 00552E32
_free.LIBCMT ref: 00552E59
SetLastError.KERNEL32(00000000,00521129), ref: 00552E66
SetLastError.KERNEL32(00000000,00521129), ref: 00552E6F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 09bc1fcfc31839a8f2dc9d5e1cf91cd6ca9dc5209339e83e88e25c04e28bd46c
Instruction ID: e659e877062dd24f6b21f29154ddd0b99110218f9b07dea88b8d19a58330dd99
Opcode Fuzzy Hash: 09bc1fcfc31839a8f2dc9d5e1cf91cd6ca9dc5209339e83e88e25c04e28bd46c
Instruction Fuzzy Hash: 7501D636105A0167871227746C6BD3B2E6DBBE33B7F24452BFC65A2292EA249C0D5320

Function 0058000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?,?,0058035E), ref: 0058002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?), ref: 00580064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580070

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b802ef10df720e4d9570330194703c4a5b7b1aac472c55bef251aac918a49edc
Instruction ID: 0769abdc5c3671f8d877f02854e479d43b4131c32ea4435a7019775f0a99409b
Opcode Fuzzy Hash: b802ef10df720e4d9570330194703c4a5b7b1aac472c55bef251aac918a49edc
Instruction Fuzzy Hash: E701B872600204EFDB906F69DC08BAA7EADEF44392F145224FC05E2250E771ED08ABA0

Function 005810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7c310b46b6e230df729d1dfd898d6bb39c81c82c1256d5904fb23839181cd6eb
Instruction ID: a139880ca4bc3f5c1bdc18dc6405b4069b0fab20c48842c78a3a17d4dd9e7c1a
Opcode Fuzzy Hash: 7c310b46b6e230df729d1dfd898d6bb39c81c82c1256d5904fb23839181cd6eb
Instruction Fuzzy Hash: A5016975200605BFDB515FA8DC4DAAA3F6EFF893A0B200419FA41E3360DA31EC00EB64

Function 00580FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00580FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00580FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00580FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00580FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00581002

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4b0e7bc37e75927c5ef03d6697f2a2a3718ef4841bd5082f0e9b56632dbb1376
Instruction ID: da963179230029e13e34fd478b1ad875425a892868b1dca0054f08ece0d61abc
Opcode Fuzzy Hash: 4b0e7bc37e75927c5ef03d6697f2a2a3718ef4841bd5082f0e9b56632dbb1376
Instruction Fuzzy Hash: 03F0A975200305EBDB212FA99C4DF5A3FADFF99762F100425FA05E6250DA30EC409B64

Function 00581014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0058102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00581036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0058104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581062

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7f3a7d843088baa22b60ca5ce8bae7f78181197eba5b6ea5aa78649664fb72c8
Instruction ID: 5cade6e077317f393348236281f314b0e0217e74ef410b7a66b74c2c9d865dc5
Opcode Fuzzy Hash: 7f3a7d843088baa22b60ca5ce8bae7f78181197eba5b6ea5aa78649664fb72c8
Instruction Fuzzy Hash: 12F0A975200305EBDB212FAAEC4CF5B3FADFF99761F100425FA05E6250CA30E8409B64

Function 0059030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590324
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590331
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 0059033E
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 0059034B
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590358
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590365

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2b6ff41047de206ad0009c099dcaadd02568b4de654a7c89a0688541bc8a34ef
Instruction ID: 24475d4993225d98dc47e6dc83d6f5f8e811944f360101244c4717e83edcea55
Opcode Fuzzy Hash: 2b6ff41047de206ad0009c099dcaadd02568b4de654a7c89a0688541bc8a34ef
Instruction Fuzzy Hash: AA019C72800B159FCB30AF6AD880816FBF9BF602153159E3ED19652971C3B1A958DE80

Function 0055D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0055D752

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055D764
_free.LIBCMT ref: 0055D776
_free.LIBCMT ref: 0055D788
_free.LIBCMT ref: 0055D79A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4afc18e938d548e258159d9123abc8c90a4c5a504c78078df8c41250640e5c30
Instruction ID: d00f5848e50bc9f4742c1f08a80fd5bd95588d0cdcb4a81b0eb9b4d6dc476a52
Opcode Fuzzy Hash: 4afc18e938d548e258159d9123abc8c90a4c5a504c78078df8c41250640e5c30
Instruction Fuzzy Hash: 76F03C33514259AB8629EB64F9D5D567FFDFB49312BA40806F889EB602C720FC888670

Function 00585C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00585C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00585C6F
MessageBeep.USER32(00000000), ref: 00585C87
KillTimer.USER32(?,0000040A), ref: 00585CA3
EndDialog.USER32(?,00000001), ref: 00585CBD

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fbdfb89983d8d7aa7a7b5bc71d5f2ef5f0214899ac3c3be3e814fe395767575c
Instruction ID: 520c20bbdccdebc650778a09199becc28e6b3b0a25dc31bb2d47fb93b8b4970a
Opcode Fuzzy Hash: fbdfb89983d8d7aa7a7b5bc71d5f2ef5f0214899ac3c3be3e814fe395767575c
Instruction Fuzzy Hash: 4A018630500B04ABEB216F14DD4EFA67FB8BF10B05F001659A983B14E1EBF0AD889F94

Function 005522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005522BE

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 005522D0
_free.LIBCMT ref: 005522E3
_free.LIBCMT ref: 005522F4
_free.LIBCMT ref: 00552305

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 538a9b4f90c3a7f399b4009874ad4af3fda8a9ac212fd76a0d4097288d3d154a
Instruction ID: e089f807f6cd22eee2c7701099f45155f839f998c40b1d80b8af1bdf89f60daa
Opcode Fuzzy Hash: 538a9b4f90c3a7f399b4009874ad4af3fda8a9ac212fd76a0d4097288d3d154a
Instruction Fuzzy Hash: 11F054784005119B8616AF99BC558683F74F73A752F041507F818E63B2C739445EFFE8

Function 005395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005395D4
StrokeAndFillPath.GDI32(?,?,005771F7,00000000,?,?,?), ref: 005395F0
SelectObject.GDI32(?,00000000), ref: 00539603
DeleteObject.GDI32 ref: 00539616
StrokePath.GDI32(?), ref: 00539631

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3d71965261e74c30db9a070ee4f40aac361a7921d29908255e3407ad5bf23d09
Instruction ID: 8f6a08509bb903b5a1fbd163d8fceedd2e755b9ae02f395265644a3bd4f7b350
Opcode Fuzzy Hash: 3d71965261e74c30db9a070ee4f40aac361a7921d29908255e3407ad5bf23d09
Instruction Fuzzy Hash: CFF03C30006A08EBDB126F69EE1D7793F65BB20322F048314F465950F0C7B89999EFA8

Function 00550F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005510F9
__freea.LIBCMT ref: 00551117

Part of subcall function 00551537: _free.LIBCMT ref: 0055154F

Strings

am/pm, xrefs: 0055117A
a/p, xrefs: 005511DE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 29e3b6562fc4174c8fa929cc52f202f8922dfcff4c03af7b0ac6812b9ede15f4
Instruction ID: 618f01121c051bdf72503e69896e72d8dbf16e2623c5c1cc83ae28511100031d
Opcode Fuzzy Hash: 29e3b6562fc4174c8fa929cc52f202f8922dfcff4c03af7b0ac6812b9ede15f4
Instruction Fuzzy Hash: 1CD1F235900A069BCB249F68C879BFABFB1FF05702F25095BED019B690D3359D88CB59

Function 005A61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00540242: EnterCriticalSection.KERNEL32(005F070C,005F1884,?,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054024D
Part of subcall function 00540242: LeaveCriticalSection.KERNEL32(005F070C,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054028A

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

__Init_thread_footer.LIBCMT ref: 005A6238

Part of subcall function 005401F8: EnterCriticalSection.KERNEL32(005F070C,?,?,00538747,005F2514), ref: 00540202
Part of subcall function 005401F8: LeaveCriticalSection.KERNEL32(005F070C,?,00538747,005F2514), ref: 00540235

Part of subcall function 0059359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005935E4
Part of subcall function 0059359C: LoadStringW.USER32(005F2390,?,00000FFF,?), ref: 0059360A

Strings

x#_, xrefs: 005A6353
x#_, xrefs: 005A636F
x#_, xrefs: 005A633A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#_$x#_$x#_
API String ID: 1072379062-2414400457
Opcode ID: 7fb93074c9ab5c223b23637a3f46eb4f0968c459ed3a7caf29276e68405c3dd1
Instruction ID: 028cbd30f5e2c77cf5346aade1e02ac02d0cea0926d57165afb95cc39eb22dad
Opcode Fuzzy Hash: 7fb93074c9ab5c223b23637a3f46eb4f0968c459ed3a7caf29276e68405c3dd1
Instruction Fuzzy Hash: BAC17E71A0010AAFDB14DF58C895EBEBBB9FF49300F148469F915AB291DB70ED45CB90

Function 00555AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOR, xrefs: 00555BA8, 00555C6C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: JOR
API String ID: 0-1892200982
Opcode ID: 01578baeb9acbd259be534570c9f0bdbaa9ee8f22c577aeb96ccf12c1b238b95
Instruction ID: f1d7dd6b21ecbe12e6e06401dd4c3928565127a6e32b9963cc0831c4d3fa049e
Opcode Fuzzy Hash: 01578baeb9acbd259be534570c9f0bdbaa9ee8f22c577aeb96ccf12c1b238b95
Instruction Fuzzy Hash: 5051D175D0060A9BCB119FA8C879EEE7FB4BF45326F14005BF801A7291E6719E09DB61

Function 00558A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00558B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00558B7A
__dosmaperr.LIBCMT ref: 00558B81

Strings

.T, xrefs: 00558A63

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .T
API String ID: 2434981716-3315649315
Opcode ID: a6c820e536357aee38b6f87eca5d64f98a0bcf8e348fa7260941365041440e0a
Instruction ID: 7475f496775c9e825a4e31826cf9631a7de26a31489083b8ffa0cf5ecad58009
Opcode Fuzzy Hash: a6c820e536357aee38b6f87eca5d64f98a0bcf8e348fa7260941365041440e0a
Instruction Fuzzy Hash: 3A418EB0604045AFDB249F28CCA0A797FA9FB85325F2C459BFC85A7652DE31CC0AD750

Function 00582716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821D0,?,?,00000034,00000800,?,00000034), ref: 0058B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00582760

Part of subcall function 0058B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0058B3F8

Part of subcall function 0058B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0058B355
Part of subcall function 0058B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B365
Part of subcall function 0058B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0058281A

Strings

@, xrefs: 00582832

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: aad66e85ad57fa11f682e7316b9b14510e22eeb6f7d8b95836d0398720b0dbc6
Instruction ID: ffd9cecbbe1859d1e3e636f3f177346c15b60894b9b82cd9e53bd59d8eaf74a3
Opcode Fuzzy Hash: aad66e85ad57fa11f682e7316b9b14510e22eeb6f7d8b95836d0398720b0dbc6
Instruction Fuzzy Hash: 22412A72900219AFDB10EFA4C956AEEBBB8FF49300F104059EA55B7191DA706E45CBA0

Function 0055172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00551769
_free.LIBCMT ref: 00551834
_free.LIBCMT ref: 0055183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00551760, 00551767, 00551796, 005517CE

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 76370b318174f3086361eb13965c1fb06b40b43e0814f464e38d8f3453e77de9
Instruction ID: 3043bd8cac982817de41c42e8f505c6531a17bc5a86ab23c1516f4bdc699473f
Opcode Fuzzy Hash: 76370b318174f3086361eb13965c1fb06b40b43e0814f464e38d8f3453e77de9
Instruction Fuzzy Hash: E4319F75A00618EBCB21DB999C95EAEBFFCFB99311B104167F804D7211D6B08E48DB98

Function 0058C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0058C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0058C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005F1990,00EC5E88), ref: 0058C395

Strings

0, xrefs: 0058C2DF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 310b289d9dfd567eac1b85a612b50e4953bcf28dbca4905d98a0d8ad5111a9e3
Instruction ID: a7b27b68d9d91a6a7d6c544f1102605770e27377bd0e09095c4e1ece059627a6
Opcode Fuzzy Hash: 310b289d9dfd567eac1b85a612b50e4953bcf28dbca4905d98a0d8ad5111a9e3
Instruction Fuzzy Hash: 0A418F312043029FD720EF25D845B5ABFE8BF85310F148A1DFDA5A72D1DB30A905CB62

Function 005B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005BCC08,00000000,?,?,?,?), ref: 005B44AA
GetWindowLongW.USER32 ref: 005B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B44D7

Strings

SysTreeView32, xrefs: 005B447C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d5d14f95c47c194657df6d01027c1ca4b13ac5cf37bc5b3820255df8c92b054a
Instruction ID: 74573e9a9a7cb5b115c41c603f827b2c120d60eb7b115f6dd479b26181aa1372
Opcode Fuzzy Hash: d5d14f95c47c194657df6d01027c1ca4b13ac5cf37bc5b3820255df8c92b054a
Instruction Fuzzy Hash: 33317A71210606AFDF208E38DC49BEA7FA9FB49324F204725F975921E1D770AC619B60

Function 005B4537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005B4634

Strings

(_, xrefs: 005B45D7
', xrefs: 005B458E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID: '$(_
API String ID: 3850602802-497487526
Opcode ID: ae5c4076304c7f56155dc3bf4d3f0521d5e3ff0ca87f884e36c63e3fff3f69a7
Instruction ID: 2f0be6ea90e1e15b68c283d8603530e92647ae4dcb75b0c70072123901a6e5e6
Opcode Fuzzy Hash: ae5c4076304c7f56155dc3bf4d3f0521d5e3ff0ca87f884e36c63e3fff3f69a7
Instruction Fuzzy Hash: 46313874A0061A9FDB24CFA9C980BEA7BB5FF49300F10406AE905EB382D770A941DF90

Function 00586E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00586EED
VariantCopyInd.OLEAUT32(?,?), ref: 00586F08
VariantClear.OLEAUT32(?), ref: 00586F12

Strings

*jX, xrefs: 00586E8B, 00586E90, 00586EF8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jX
API String ID: 2173805711-809058511
Opcode ID: 2b38ec2c5e8f458df7ae7c3ea1b86c9d4a0966f9425bc34001fcec0260b89cc6
Instruction ID: 99972bd93cc172b1ad5aca2db5d99937f208944fba8ae47b5ba89bf7f068b758
Opcode Fuzzy Hash: 2b38ec2c5e8f458df7ae7c3ea1b86c9d4a0966f9425bc34001fcec0260b89cc6
Instruction Fuzzy Hash: DF31B371604256DFDB05BF64E8569BE7F75FF89300B1008A8FE025B2A1C730D951DBA4

Function 005A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005A3077,?,?), ref: 005A3378

inet_addr.WSOCK32(?), ref: 005A307A
_wcslen.LIBCMT ref: 005A309B
htons.WSOCK32(00000000), ref: 005A3106

Strings

255.255.255.255, xrefs: 005A3095, 005A309A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b6fd134728f32749b88d46a98537ef8a67cc89ea23c42e50777aa4aa3f1b8a1a
Instruction ID: d4e8735db7c085390d51cfde0142a94496dbb609c3c74f87436e718a0d5b4247
Opcode Fuzzy Hash: b6fd134728f32749b88d46a98537ef8a67cc89ea23c42e50777aa4aa3f1b8a1a
Instruction Fuzzy Hash: 72318F396042059FCB10CF68C58AAAE7FE0FF56318F248559F9158B3A2DB72EE45C760

Function 005895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058961D

Strings

#notrayicon, xrefs: 005895B7
#requireadmin, xrefs: 005895D9
#OnAutoItStartRegister, xrefs: 005895F3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a9855a5624abbc06e25546e72b10168cb63d77fde54b5b45c639872b2476c50b
Instruction ID: e8a5d9d0d80daecf73e600237c7b1126abec24a5dcbf5a2438f7dbcf29b129dd
Opcode Fuzzy Hash: a9855a5624abbc06e25546e72b10168cb63d77fde54b5b45c639872b2476c50b
Instruction Fuzzy Hash: B3212332204622A6C331BA259C06FBB7F98BF96304F184426FD49A7081EB51AD51C395

Function 005B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005B3876

Strings

Listbox, xrefs: 005B380F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ec9bdb8f83e6cd98825b9ae28238a5d75a364b8f2e98ec269ad762d7cf3413ab
Instruction ID: 2efaf42bd55e61df675239373040aae3f94044fb50de5ec31778a14abb19542a
Opcode Fuzzy Hash: ec9bdb8f83e6cd98825b9ae28238a5d75a364b8f2e98ec269ad762d7cf3413ab
Instruction Fuzzy Hash: 9821BE72610218BBEB218F64DC85EFB3B6EFF99750F108124F900AB190CA71ED5287A0

Function 005949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00594A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00594A5C
SetErrorMode.KERNEL32(00000000,?,?,005BCC08), ref: 00594AD0

Strings

%lu, xrefs: 00594A6F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 031086dc0b099d896534f5fc51502325ac5c95506e226ee122cdd984ee41b761
Instruction ID: f25530382a525a6354efa320b75154fb76d8581eee4e3af7a2772cd463596d0b
Opcode Fuzzy Hash: 031086dc0b099d896534f5fc51502325ac5c95506e226ee122cdd984ee41b761
Instruction Fuzzy Hash: 1C314D75A00109AFDB10DF54C885EAABBF9FF49308F1440A5E905EB352D771ED46CB61

Function 005B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005B4271

Strings

msctls_trackbar32, xrefs: 005B4226

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4fab09b95316d38486fadf12ef5318be25da1edd7263f0cbdc0498021ce5c810
Instruction ID: a7f201112d67f3b434a955df2e8cb81cfa1b3c50795e315bf864751d56a7ce85
Opcode Fuzzy Hash: 4fab09b95316d38486fadf12ef5318be25da1edd7263f0cbdc0498021ce5c810
Instruction Fuzzy Hash: DC11C131240248BEEF205E29CC06FFB7BACFF95B54F010514FA55E6091D271E811EB50

Function 00582F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Part of subcall function 00582DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00582DC5
Part of subcall function 00582DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00582DD6
Part of subcall function 00582DA7: GetCurrentThreadId.KERNEL32 ref: 00582DDD
Part of subcall function 00582DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00582DE4

GetFocus.USER32 ref: 00582F78

Part of subcall function 00582DEE: GetParent.USER32(00000000), ref: 00582DF9

GetClassNameW.USER32(?,?,00000100), ref: 00582FC3
EnumChildWindows.USER32(?,0058303B), ref: 00582FEB

Strings

%s%d, xrefs: 00582FFF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 38b5382421b70536994c7d58549e0e30fa8c34906494f435b4ab3e5c82207ca3
Instruction ID: 51d6f969ad89f55520775923976c3914fd6f345639f462526e0070ba9284aab0
Opcode Fuzzy Hash: 38b5382421b70536994c7d58549e0e30fa8c34906494f435b4ab3e5c82207ca3
Instruction Fuzzy Hash: C5119075600206ABCF55BF649C99EED3F6ABFD4304F044075BD09AB192DE30A94A9B70

Function 005B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005B58EE
DrawMenuBar.USER32(?), ref: 005B58FD

Strings

0, xrefs: 005B588F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5584de06e95b4c96328180fa3d6ebee5dd360ae0a91872d1f5f65c6326168919
Instruction ID: ec1c1ae0ea4500a18599864f896d0f320bfe3fbc85b525d464186219644615c6
Opcode Fuzzy Hash: 5584de06e95b4c96328180fa3d6ebee5dd360ae0a91872d1f5f65c6326168919
Instruction Fuzzy Hash: 24016131500219EFDB619F11DC44BEEBFB8FB45360F148499F849D6151EB30AA84EF21

Function 005B7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,005F18B0,005BA364,000000FC,?,00000000,00000000,?,?,?,005776CF,?,?,?,?,?), ref: 005B7805
GetFocus.USER32 ref: 005B780D

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 005B787A

Strings

(_, xrefs: 005B7841, 005B7852

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (_
API String ID: 3601265619-3503187703
Opcode ID: 4b0ce425f2218f70067275217d6f91af63ad0e2d9b709d2c2a6ccced53c40e2e
Instruction ID: 6ecea363432fe8ab2b4b6b0003e09ca83a792ea81437b351afc7f7968fc5d3f4
Opcode Fuzzy Hash: 4b0ce425f2218f70067275217d6f91af63ad0e2d9b709d2c2a6ccced53c40e2e
Instruction Fuzzy Hash: 59012C31605510CFD725DB28D958AB63BE6BFDA320F18026DE5158B2A1DB717C0ACB94

Function 0057D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0057D3BF
FreeLibrary.KERNEL32 ref: 0057D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0057D3B9
X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: c233b043cf56a252d9ffcb20d758d1c6061a71c2cae1ee89389d682a33b2d647
Instruction ID: 7d1fde2588675a6c958237cdb0a849e23bdb94e1c45e4296cf814136b2b33c4f
Opcode Fuzzy Hash: c233b043cf56a252d9ffcb20d758d1c6061a71c2cae1ee89389d682a33b2d647
Instruction Fuzzy Hash: 3BF05525801A248BC7B102106C58AA93F74BF10B01FA5CE15F80EF5146EB64DC46B2BA

Function 0058007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7277baca274e27b7904d62a4ce1f1f8a823a4bdb480cdc483fa11da05dff266
Instruction ID: e15fc1e4d22cf6e15a14a26df9ff24fd4a4ddce3c9a1e3e2c59b65ccb9351d8d
Opcode Fuzzy Hash: d7277baca274e27b7904d62a4ce1f1f8a823a4bdb480cdc483fa11da05dff266
Instruction Fuzzy Hash: 69C18075A00206EFDB54DF94C888EAEBBB5FF48314F209598E805EB291D770ED45DB50

Function 005A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005A3459
CoUninitialize.OLE32 ref: 005A3463
VariantInit.OLEAUT32(?), ref: 005A346E
VariantClear.OLEAUT32(?), ref: 005A371B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: db99575bd7ae0cff7d9e132b154933feae892bb73fcf900fb9d64dd59b4f82e0
Instruction ID: 9da74b9bf2387f3d81726c8dbcf60beeec3803b0226a1e6f3b825d212fa8b29b
Opcode Fuzzy Hash: db99575bd7ae0cff7d9e132b154933feae892bb73fcf900fb9d64dd59b4f82e0
Instruction Fuzzy Hash: FCA13B756042119FC700DF28D589A2EBBE5FF8E714F048859F98A9B3A2DB30EE05CB51

Function 00580436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005BFC08,?), ref: 005805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005BFC08,?), ref: 00580608
CLSIDFromProgID.OLE32(?,?,00000000,005BCC40,000000FF,?,00000000,00000800,00000000,?,005BFC08,?), ref: 0058062D
_memcmp.LIBVCRUNTIME ref: 0058064E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 168297fce97d42b34c13a6c9affc818f824d923026fcd3460e3cb0b64b7b068d
Instruction ID: c84c84d10f55c45eefc8ed08fbe7349719af32ed95d721fb4557b7baa718c264
Opcode Fuzzy Hash: 168297fce97d42b34c13a6c9affc818f824d923026fcd3460e3cb0b64b7b068d
Instruction Fuzzy Hash: C981FC71A00109EFCB44DF94C984DEEBBB9FF89315F104558E516BB290DB71AE0ACB60

Function 00561391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005614C0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40eeecf63112f47984268c344bf1185e2c82d6b290bd99c27c845253d4d29908
Instruction ID: 842835827242d800170ae844a9cd57cc4fe89e35031ae02c224668c7c79abec0
Opcode Fuzzy Hash: 40eeecf63112f47984268c344bf1185e2c82d6b290bd99c27c845253d4d29908
Instruction Fuzzy Hash: 1A414B35A00912ABDF216BFC8C4A6BE3EA4FF81371F1C4626F819D7292EE7488415765

Function 005A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005A1AFD
WSAGetLastError.WSOCK32 ref: 005A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005A1B8A
WSAGetLastError.WSOCK32 ref: 005A1B94

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ebf4d95c9768b2224ecc0734a19c4ac0189935de6598e7dab447a2660d7bd10b
Instruction ID: 1bb176938f51b1275e457555cf1c1f9f4ff36793959ecc0d48439ff1ed6fcddb
Opcode Fuzzy Hash: ebf4d95c9768b2224ecc0734a19c4ac0189935de6598e7dab447a2660d7bd10b
Instruction Fuzzy Hash: 9E41B434600611AFE720AF24D88AF297BE5BF89718F548448F51A9F7D3D772ED418BA0

Function 0055B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aedc1fb6267103ee4a2b0cf39aa3224d4a781b1e2efc7cff03198c528e1fe11
Instruction ID: 9db650caca72d0cdaf99e4e3813a33cff9ba9315d2a53d256fde26a8ac868e92
Opcode Fuzzy Hash: 8aedc1fb6267103ee4a2b0cf39aa3224d4a781b1e2efc7cff03198c528e1fe11
Instruction Fuzzy Hash: ED410775A00704AFE7249F78CC59BAA7FAAFBC8711F10452BF901DB281E77199058780

Function 005956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00595783
GetLastError.KERNEL32(?,00000000), ref: 005957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005957FA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b9baac6a3ba3d4eb0dc934191f4e72b725402c91d0798119a4240c97db25431f
Instruction ID: 5f14a3cbc2852f20eca892a7d25bdc3e008f203e343622aee919c954481680fa
Opcode Fuzzy Hash: b9baac6a3ba3d4eb0dc934191f4e72b725402c91d0798119a4240c97db25431f
Instruction Fuzzy Hash: AF411C39600611DFCB11EF55D548A1EBFE1FF89320B188488E84A6B3A2DB30FD00CB91

Function 0055D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00546D71,00000000,00000000,005482D9,?,005482D9,?,00000001,00546D71,?,00000001,005482D9,005482D9), ref: 0055D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0055D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0055D9AB
__freea.LIBCMT ref: 0055D9B4

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0308b67b35c096d27d8ba1cce6a7f5bf52c648071c79f1977c7daaacaf1bb45e
Instruction ID: f26527fd1a588a6769a88cd88403c89d82fbe441c389b8c10b8baf62d6d1515a
Opcode Fuzzy Hash: 0308b67b35c096d27d8ba1cce6a7f5bf52c648071c79f1977c7daaacaf1bb45e
Instruction Fuzzy Hash: DF31BC72A0020AABDB24DF64DC95EAE7FB5FB41351B05026AFC04A6251EB35DD58CBA0

Function 0058AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0058ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0058AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0058AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0058ACC6

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f46ba1a21ced70dfa44a91e48f51e295efb3dcd51fd1478e59d9951bc326cf5c
Instruction ID: 470d18eda989b9db7ccfc0e3223e1844d0a8f85374503d997c6741129e971b54
Opcode Fuzzy Hash: f46ba1a21ced70dfa44a91e48f51e295efb3dcd51fd1478e59d9951bc326cf5c
Instruction Fuzzy Hash: 63311470A00618AFFF35AB698809BFA7FA5BB89310F08471BF881B61D0C3759D859752

Function 005B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005B16EB

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

GetCaretPos.USER32(?), ref: 005B16FF
ClientToScreen.USER32(00000000,?), ref: 005B174C
GetForegroundWindow.USER32 ref: 005B1752

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ff5cbc3bdcda0fa86abbe1d8eeb84543a67a58835900633c50bfad29b036f802
Instruction ID: ebdf57608f9a03d11fe48db87f89cea7eda7fa886c570599d32f01c18ff3a543
Opcode Fuzzy Hash: ff5cbc3bdcda0fa86abbe1d8eeb84543a67a58835900633c50bfad29b036f802
Instruction Fuzzy Hash: 8C315071D00159AFCB00EFA5D885CAEBBF9FF89304B504069E415E7251DA31AE45CBA0

Function 0058D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0058D501
Process32FirstW.KERNEL32(00000000,?), ref: 0058D50F
Process32NextW.KERNEL32(00000000,?), ref: 0058D52F
CloseHandle.KERNEL32(00000000), ref: 0058D5DC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4e261a6dd552cf6a98b4319139e46a8803d0c14d1d3af5e197864be281c9b436
Instruction ID: 07342de9e84458bec6e20c4bcd814e19ccd2caa847fcf0d57b5d859a98a22342
Opcode Fuzzy Hash: 4e261a6dd552cf6a98b4319139e46a8803d0c14d1d3af5e197864be281c9b436
Instruction Fuzzy Hash: 07316D711082019FD301EF54D885AAABFF8BFDA354F14092DF581961E1EB71A948CBA2

Function 0058D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005BCB68), ref: 0058D2FB
GetLastError.KERNEL32 ref: 0058D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0058D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005BCB68), ref: 0058D376

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 69cc2ea6c869c30918328498896cdb11f46a1e8289e89329c4dd89878e3b9613
Instruction ID: 6051af092c556d9854742542dbbf1017005d9a15e92af127aa98045a879f996f
Opcode Fuzzy Hash: 69cc2ea6c869c30918328498896cdb11f46a1e8289e89329c4dd89878e3b9613
Instruction Fuzzy Hash: 01217E745042029F8700EF28D8854AABFE4BE9A324F504E19F899D72E1DB309949CBA3

Function 00581571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00581014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0058102A
Part of subcall function 00581014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00581036
Part of subcall function 00581014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581045
Part of subcall function 00581014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0058104C
Part of subcall function 00581014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005815BE
_memcmp.LIBVCRUNTIME ref: 005815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00581617
HeapFree.KERNEL32(00000000), ref: 0058161E

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 076b1eba76998cbd55829fb83bc9f46ea7c14b697ae485cb31c0b73a2f6f3339
Instruction ID: bc689f087440cba1358579d4e96600f147953f2d9d2c4fbc8a5b512fcbd3a4e8
Opcode Fuzzy Hash: 076b1eba76998cbd55829fb83bc9f46ea7c14b697ae485cb31c0b73a2f6f3339
Instruction Fuzzy Hash: 52215A71E00509AFDF10EFA5C949BEEBBB8FF84344F084459E841BB241E730AA06DB64

Function 005B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005B2840

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a77f5351af7d5f5729a8fd65b1082c35e0baa969e38f5cfcbe7ddf362e32622a
Instruction ID: e21558e735d3bcc97bfb2e9fbed19d3c85c59e43aa18e9cbddb9e5b6e6f85844
Opcode Fuzzy Hash: a77f5351af7d5f5729a8fd65b1082c35e0baa969e38f5cfcbe7ddf362e32622a
Instruction Fuzzy Hash: 3421A131204611AFD7149B24C845FAA7F99FF85324F148258F4268B6E2CB71FC42CBE4

Function 005878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00588D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?), ref: 00588D8C
Part of subcall function 00588D7D: lstrcpyW.KERNEL32(00000000,?,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00588DB2
Part of subcall function 00588D7D: lstrcmpiW.KERNEL32(00000000,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?), ref: 00588DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587923
lstrcpyW.KERNEL32(00000000,?,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587984

Strings

cdecl, xrefs: 0058797B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b46d1ae7fa18d00ceeb5336b3b59db7d2e2ce5433bc78e0475829a98fd5505b2
Instruction ID: b94bb042359ae1b5a094ce235567cbba2bd362be11a5fe3fec1ea4627e5627dc
Opcode Fuzzy Hash: b46d1ae7fa18d00ceeb5336b3b59db7d2e2ce5433bc78e0475829a98fd5505b2
Instruction Fuzzy Hash: C011293A200306ABCB15AF39C848D7A7BA9FF99390B50402AFC42DB264EF31D801D791

Function 005B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0059B7AD,00000000), ref: 005B7D6B

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9cd9f3630210aa59ebeab89fa15a66f3dd74fc7db853b345052b4e23bf1b840e
Instruction ID: 0a88e20988bd264c36220ea13ddee9fdbe5607dc542e0d992f9820b952f969c1
Opcode Fuzzy Hash: 9cd9f3630210aa59ebeab89fa15a66f3dd74fc7db853b345052b4e23bf1b840e
Instruction Fuzzy Hash: 7C116031605619AFCB109F28CC04AB63FA5BF893A0B254764F839D72F0D731AD55DB94

Function 005B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005B56BB
_wcslen.LIBCMT ref: 005B56CD
_wcslen.LIBCMT ref: 005B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005B5816

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 65f3da220eec0082f8ad3110bc535f7674b21cd0373642890e7bbf2dc4041ce9
Instruction ID: 7866920e8b3f5b6ea17e027210c6ac435304353a35b465caf6b18d935ef7ac2d
Opcode Fuzzy Hash: 65f3da220eec0082f8ad3110bc535f7674b21cd0373642890e7bbf2dc4041ce9
Instruction Fuzzy Hash: D911E131A00609AADF249F658C85BEE3FACFF50764F104426F905D6081FB70AA84CB64

Function 00551D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc51d394ffed9ccf097d49e2c1df317805910f1f16dbddbe1409515ad43f91f
Instruction ID: 29ca9bc05d6647b79fd02b7db44108f3fc54d5e61885f6e2927803a12a85c63e
Opcode Fuzzy Hash: 1bc51d394ffed9ccf097d49e2c1df317805910f1f16dbddbe1409515ad43f91f
Instruction Fuzzy Hash: 170171B2205A167EE61116786CE4F676E2CFF913BAB340726F921A12D2DA609C489164

Function 00581A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00581A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A8A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 130140a0510f1ddb25adc30f22dff8df5712c7c6cf0b6af43b3812ebad0ea197
Instruction ID: b19d8209b31d60ae6d1f527d556fdb29f188cd118d2614df905d58e164c695a6
Opcode Fuzzy Hash: 130140a0510f1ddb25adc30f22dff8df5712c7c6cf0b6af43b3812ebad0ea197
Instruction Fuzzy Hash: CF11393AD01219FFEB10EBA4CD85FADBB78FB08750F200091EA11B7290D6716E51DB98

Function 0058E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0058E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0058E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0058E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0058E24D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ba80f16a2ca0ce1d1871058abba3593567a3975f8eb0ffea47436b0fe6b4c81d
Instruction ID: d3b42e438fb06b96eef11cf64634fcd15e76dd6b6c1101a02648ff236758ac94
Opcode Fuzzy Hash: ba80f16a2ca0ce1d1871058abba3593567a3975f8eb0ffea47436b0fe6b4c81d
Instruction Fuzzy Hash: C7110876904214BBC701AFA89C0AAAE7FBEAB55310F004725F816F3290D6B49908D7A4

Function 0054D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0054CFF9,00000000,00000004,00000000), ref: 0054D218
GetLastError.KERNEL32 ref: 0054D224
__dosmaperr.LIBCMT ref: 0054D22B
ResumeThread.KERNEL32(00000000), ref: 0054D249

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 000ae0307212258ca09213c1286c3369ad5b09fedc2d69e506940121202ab1a0
Instruction ID: d8496ad14d21c4e9e2362f662e95f36150928e5f761267834371805b07735394
Opcode Fuzzy Hash: 000ae0307212258ca09213c1286c3369ad5b09fedc2d69e506940121202ab1a0
Instruction Fuzzy Hash: F201C03A809215BBCB115BA9DC09AEA7EB9FFC1339F100219F925921D0DBB08905D7B0

Function 005B9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

GetClientRect.USER32(?,?), ref: 005B9F31
GetCursorPos.USER32(?), ref: 005B9F3B
ScreenToClient.USER32(?,?), ref: 005B9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 005B9F7A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9d08e8d1d852d42258e96fb2e3741c5167075ad2d156c3327d829c49c4a95303
Instruction ID: e01b06dcaa977f081f8dacbf959f7f4e259fc460b373267c5182d3549a585118
Opcode Fuzzy Hash: 9d08e8d1d852d42258e96fb2e3741c5167075ad2d156c3327d829c49c4a95303
Instruction Fuzzy Hash: F911483290011AEBDB11DFA8C8899FE7BB8FB46321F000555FA01E3150D730BA85DBA5

Function 0052600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
GetStockObject.GDI32(00000011), ref: 00526060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 21e1d1ad9c3706c2d040196288146568817f9489683c6cf35620b12da1f6162c
Instruction ID: b051cdd79701e89a64fb784602e5b39a41042ca31ed4c0075fc08850820bc686
Opcode Fuzzy Hash: 21e1d1ad9c3706c2d040196288146568817f9489683c6cf35620b12da1f6162c
Instruction Fuzzy Hash: 0E118B72501518BFEF124FA4AC48EEABF69FF1A3A4F000205FA0556150C732AC60EBA1

Function 00543B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00543B56

Part of subcall function 00543AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00543AD2
Part of subcall function 00543AA3: ___AdjustPointer.LIBCMT ref: 00543AED

_UnwindNestedFrames.LIBCMT ref: 00543B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00543B7C
CallCatchBlock.LIBVCRUNTIME ref: 00543BA4

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 144a6efec006dc977908915cb384831e0df3a871bf6049d6420352e5f0614b88
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8401E932100149BBDF126E95CC4AEEB7F69FF98758F044114FE4896121C732E961DBA0

Function 00553073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005213C6,00000000,00000000,?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue), ref: 005530A5
GetLastError.KERNEL32(?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue,005C2290,FlsSetValue,00000000,00000364,?,00552E46), ref: 005530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue,005C2290,FlsSetValue,00000000), ref: 005530BF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ad1bf4b7453b17e06f9db8837bcba93ef45b301b2525eee0228a3fbe381f5fff
Instruction ID: e5ea390ef52b07a91882f6ac11ae3067e0a6bb0893e80da2cc4cae45db6faacd
Opcode Fuzzy Hash: ad1bf4b7453b17e06f9db8837bcba93ef45b301b2525eee0228a3fbe381f5fff
Instruction Fuzzy Hash: 3301D436301722ABCB614A789C58967BF98BF55BE2B100B22FD09E71E0D721DD0DD6E0

Function 00587464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0058747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00587497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005874CA

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1b458f63056bca7a7658d6ad036bc5aae7622abb6d7d0108e27357f4ee20b15f
Instruction ID: 62158eb802d6041c249a4d24ad2be8e67ddeb9436dc3660173a6b240c76f4111
Opcode Fuzzy Hash: 1b458f63056bca7a7658d6ad036bc5aae7622abb6d7d0108e27357f4ee20b15f
Instruction Fuzzy Hash: AB11C4B12053189FEB209F54DC08F927FFCFB04B10F208569AA66E6161D770F908EB60

Function 0058B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B126

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cd636a8ddde70ac58897f80c4d0fd0c98bc0b9868dab65ae63da1c39e79af204
Instruction ID: c8c858d5b26735f86971c0b9f9550e49f3ff11900707d86896db8b34f190d49f
Opcode Fuzzy Hash: cd636a8ddde70ac58897f80c4d0fd0c98bc0b9868dab65ae63da1c39e79af204
Instruction Fuzzy Hash: CF117930C00528E7EF04EFA8E99C6EEBF78FF59311F004586D981B6181CB306654DB55

Function 005B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005B7E33
ScreenToClient.USER32(?,?), ref: 005B7E4B
ScreenToClient.USER32(?,?), ref: 005B7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005B7E8A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4d5580003258c775b26acc688ab637dd3da4d38cd7d4f0c3251d205abe2c4e1c
Instruction ID: 46c25e043da7f79715060f52293eb4e94ade4c85f98bb24cd36aebaf06522999
Opcode Fuzzy Hash: 4d5580003258c775b26acc688ab637dd3da4d38cd7d4f0c3251d205abe2c4e1c
Instruction Fuzzy Hash: A71143B9D0020AAFDB41CFA8C8849EEBBF9FF18310F505166E915E2210D735AA54DF94

Function 00582DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00582DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00582DD6
GetCurrentThreadId.KERNEL32 ref: 00582DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00582DE4

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 610e9d5bd1a8415c6ae9c10e92a864978c0bbe6b90b0792d0757c6482233f763
Instruction ID: a1b1eae75bc9a6820b0dde737c7432729bf4f077eea18ac5af7a848c73ea8a6a
Opcode Fuzzy Hash: 610e9d5bd1a8415c6ae9c10e92a864978c0bbe6b90b0792d0757c6482233f763
Instruction Fuzzy Hash: 17E092B25022247BD7602B769C0DFFB3F6CFF62BA1F000215F905E10809AA0D845D7B0

Function 005B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00539639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396A2
Part of subcall function 00539639: BeginPath.GDI32(?), ref: 005396B9
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005B8887
LineTo.GDI32(?,?,?), ref: 005B8894
EndPath.GDI32(?), ref: 005B88A4
StrokePath.GDI32(?), ref: 005B88B2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bf65a21970f94adeb192a469679c77a873eb5183740af14b2cfb4debeb6df119
Instruction ID: 019d2ca44cb0ce25c9f3cddfcea904e3572c484d54d6a4ff7b1d88d9a1a74301
Opcode Fuzzy Hash: bf65a21970f94adeb192a469679c77a873eb5183740af14b2cfb4debeb6df119
Instruction Fuzzy Hash: 9BF05E36041659FBDB126F94AC0EFDE3F59AF26310F048100FA11650E1C7B96515EFE9

Function 005398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005398CC
SetTextColor.GDI32(?,?), ref: 005398D6
SetBkMode.GDI32(?,00000001), ref: 005398E9
GetStockObject.GDI32(00000005), ref: 005398F1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6e5124c13ffcdcdd9519c6832becdd6f7153cb1274dd66ff4ddb50f14ea51bf3
Instruction ID: 725bcd7eb6a4aea79264f85c1017a278e9001ba3cfcb805535b0583c98321d59
Opcode Fuzzy Hash: 6e5124c13ffcdcdd9519c6832becdd6f7153cb1274dd66ff4ddb50f14ea51bf3
Instruction Fuzzy Hash: B9E06D32244284AADB615B78BC09BE83F21BB26336F14C319F6FA680E1C3715644EB20

Function 0058162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00581634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005811D9), ref: 0058163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005811D9), ref: 00581648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005811D9), ref: 0058164F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 07cb4b4ce0d961970178a18c136d2a2997902aec4e608d759b204404ca934286
Instruction ID: a96d2d985290ab13dac3ce03779af06bbe16ea99589f3d9874ea157b91aacbc9
Opcode Fuzzy Hash: 07cb4b4ce0d961970178a18c136d2a2997902aec4e608d759b204404ca934286
Instruction Fuzzy Hash: 7AE08631601211DBD7602FA19D0DB8A3F7CBF64791F184918F685D9080E6345449D768

Function 0057D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0057D858
GetDC.USER32(00000000), ref: 0057D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0057D882
ReleaseDC.USER32(?), ref: 0057D8A3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c3ed26e31567f38d26f030438bb7094e5ca8833dac8e735c485d53b3d0de21e7
Instruction ID: f1cece627e1137ffc9dd21bc447471fbd1ecc79bad5080da5150b9f2770668e3
Opcode Fuzzy Hash: c3ed26e31567f38d26f030438bb7094e5ca8833dac8e735c485d53b3d0de21e7
Instruction Fuzzy Hash: 06E0E5B4800205DFCB81AFA8A90CA6DBFB1BB58310F108509E806A7250C7386905AF54

Function 0057D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0057D86C
GetDC.USER32(00000000), ref: 0057D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0057D882
ReleaseDC.USER32(?), ref: 0057D8A3

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6b6083eac51c024476abebf490c959af5c9a83a1d7545aab6ebf752fe544bc69
Instruction ID: d4a553bf5db32505d08a5b7a894a3161a38df3ec06df7d7b6d95bf7b7980ca9f
Opcode Fuzzy Hash: 6b6083eac51c024476abebf490c959af5c9a83a1d7545aab6ebf752fe544bc69
Instruction Fuzzy Hash: FBE012B4C00204EFCB80AFA8E80CA6DBFB1BB58310F108508E80AE7350CB386909AF54

Function 00594D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00594ED4

Strings

*, xrefs: 00594E10
LPT, xrefs: 00594DFB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 17c792b7cac02d5df6dfdd79ef4d3e3b44afa7e7ace6a0d3520412e4ba9b92b1
Instruction ID: e7f007e1b34ab0d47a999e6771b073b6305dfd6e9f13fc4f953be0c84551bb10
Opcode Fuzzy Hash: 17c792b7cac02d5df6dfdd79ef4d3e3b44afa7e7ace6a0d3520412e4ba9b92b1
Instruction Fuzzy Hash: DE913A75A002559FCB14DF58C484EAABFB5BF49304F188099E80A9B7A2D731ED86CF91

Function 005A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0057569E,00000000,?,005BCC08,?,00000000,00000000), ref: 005A78DD

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

CharUpperBuffW.USER32(0057569E,00000000,?,005BCC08,00000000,?,00000000,00000000), ref: 005A783B

Strings

<s^, xrefs: 005A77C8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s^
API String ID: 3544283678-1525781280
Opcode ID: 2fc46e5429387996ecb239aff0f6678afe22506d5d824ba120448fae2bb86477
Instruction ID: 88cfcfca66ab7513ad47475624646857fe2dbf55692d3d2dc8afd3c821f63875
Opcode Fuzzy Hash: 2fc46e5429387996ecb239aff0f6678afe22506d5d824ba120448fae2bb86477
Instruction Fuzzy Hash: 79615E3291412EABCF04EBA4DC95DFEBF78BF6A700F544526E542A3091EB345A45CBA0

Function 0053E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0053E1B1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bf42be0511bd574e66aadc9766744e51fa677a5432df03a78b8e52011fac46b
Instruction ID: 154474c76fb8d1bf52efd4a826985ef1a659455035508c4d57acc315b7ad8aa5
Opcode Fuzzy Hash: 4bf42be0511bd574e66aadc9766744e51fa677a5432df03a78b8e52011fac46b
Instruction Fuzzy Hash: F2514339500386DFDB19DF68E086ABA7FA8FF5A310F248095F8959B2C0D7309D42DB90

Function 0053F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0053F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0053F2BB

Strings

@, xrefs: 0053F2AF

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2be13205d51a1ee20f3cd48184dfd5aaf8b74a0f9600fddd80f9d29686bd4202
Instruction ID: 9228831db9e5efbd82276a628bdd708e4b2251f70994de16d09f9179e041f780
Opcode Fuzzy Hash: 2be13205d51a1ee20f3cd48184dfd5aaf8b74a0f9600fddd80f9d29686bd4202
Instruction Fuzzy Hash: 795127714087499BD320AF50E88ABAFBBF8FFD9300F81885DF1D941195EB709529CB66

Function 005A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005A57E0
_wcslen.LIBCMT ref: 005A57EC

Strings

CALLARGARRAY, xrefs: 005A57E6, 005A57EB

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9b898c0910b5fb0e9ebf499fa8acd02d24a0910368aaa14b64b9b43ab9564d1b
Instruction ID: 6065a33508039df996becd1df711bb9d0006f58798f194ec356a6846e10bd908
Opcode Fuzzy Hash: 9b898c0910b5fb0e9ebf499fa8acd02d24a0910368aaa14b64b9b43ab9564d1b
Instruction Fuzzy Hash: 9F418F31E0020A9FCB14DFA9C885DAEBFF5FF9A314F244069E505A7291E7349D81CBA0

Function 0059D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0059D13A

Strings

|, xrefs: 0059D10B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c6e1474492a25c25eb089f117d993fe5a46d2b3d055cf45bc53106d0f5566b07
Instruction ID: 8c424b6503b2e890045bb87b9dff96a8161a0a638267a0ec9286642470217192
Opcode Fuzzy Hash: c6e1474492a25c25eb089f117d993fe5a46d2b3d055cf45bc53106d0f5566b07
Instruction Fuzzy Hash: 13313071D0111AABCF15EFA4DC89AEFBFB9FF45300F100019F815A6161D731A946DB60

Function 005B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005B365C

Strings

static, xrefs: 005B35BC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bebdc18f35794ee17be04c078f370c2d0a0cfa8b59868d412a5202484f299f77
Instruction ID: 0d90e2092b92e6278159e2ee684700da5233db9403619a4d61d58ccd94a9b8e1
Opcode Fuzzy Hash: bebdc18f35794ee17be04c078f370c2d0a0cfa8b59868d412a5202484f299f77
Instruction Fuzzy Hash: CD319E71110604AEDB24DF28DC84EFB7BA9FF98720F009619F8A5D7280DA30AD81D764

Function 005397C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

GetParent.USER32(?), ref: 005773A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0057742D

Strings

(_, xrefs: 0053980F, 005773D2, 005773F9

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (_
API String ID: 2181805148-3503187703
Opcode ID: c5a5aebc5ad4830da593b0f92667a945418681a5c584da7ba788113db00d6915
Instruction ID: 71cd09a51a55d02a815ab43f7143823407a2290b0f24b69d9319f860acd529ef
Opcode Fuzzy Hash: c5a5aebc5ad4830da593b0f92667a945418681a5c584da7ba788113db00d6915
Instruction Fuzzy Hash: 6621DB70600108AFCB259F28EC48DB97FA2FF8A370F148655F9694B2E1C3B09D11EA40

Function 005B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B3287

Strings

Combobox, xrefs: 005B3249

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e62ee4ed5d0ad3b5da12d19f82cc53b23a5276f87de78c6ed6132caf6137420e
Instruction ID: 2d5915303156733efeb15e920e8f55f0a5e8f8404e45220c363254bf11d5099a
Opcode Fuzzy Hash: e62ee4ed5d0ad3b5da12d19f82cc53b23a5276f87de78c6ed6132caf6137420e
Instruction Fuzzy Hash: 6711E2753002087FEF219E94DC85EFB7F6AFB983A4F100228F918AB290D631AD519760

Function 005B32A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 005B32C7
CreatePopupMenu.USER32 ref: 005B3339

Strings

(_, xrefs: 005B3313, 005B334B

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CreateMenuPopup
String ID: (_
API String ID: 3826294624-3503187703
Opcode ID: f22c9f1eb9846ac1b096cd2f1a5b5f437bc712f4950d90748c4e3d1f0c52c777
Instruction ID: ba97a31de1089e2f5e1fb41aa832ec2b1c876b0ddc2aea5f2fc45427a30731b5
Opcode Fuzzy Hash: f22c9f1eb9846ac1b096cd2f1a5b5f437bc712f4950d90748c4e3d1f0c52c777
Instruction Fuzzy Hash: A5216038604614EFCB10CF29C545BD6BBE5FB0A364F04806AE899AB351D731BD06DF55

Function 005B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0052600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
Part of subcall function 0052600E: GetStockObject.GDI32(00000011), ref: 00526060
Part of subcall function 0052600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

GetWindowRect.USER32(00000000,?), ref: 005B377A
GetSysColor.USER32(00000012), ref: 005B3794

Strings

static, xrefs: 005B3757

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9324667d1328e325dceba7aae4ee5e5e32b1e87f70847460d9a87c1da0b61632
Instruction ID: 9bcd14b39550345c335969b16ed5629bc5fe05b010a2754f1096ef2b3bec5035
Opcode Fuzzy Hash: 9324667d1328e325dceba7aae4ee5e5e32b1e87f70847460d9a87c1da0b61632
Instruction Fuzzy Hash: BF1129B261020AAFDB00DFA8CC45EFA7BB8FB08354F004A14F955E2250EB35E955DB60

Function 005B6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005B61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 005B6225

Strings

(_, xrefs: 005B61A2

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID: (_
API String ID: 3850602802-3503187703
Opcode ID: 7e7a4096dd0a5e9bc7ba657d99412002fc5585d088d99f71702767893a230482
Instruction ID: 4af1d345205be4e057ce79d6e9676aa7fbb6d9ea441fd2615d922aacd3520cdd
Opcode Fuzzy Hash: 7e7a4096dd0a5e9bc7ba657d99412002fc5585d088d99f71702767893a230482
Instruction Fuzzy Hash: 06118E3A140214BEFF158F68DD19FF97FA4FB09310F004115FA169A1D1D2B8FA00EA50

Function 0059CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0059CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0059CDA6

Strings

<local>, xrefs: 0059CD66

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fd349addbef8db6bc16e02884009c2f20530c78bbee0eb44006ce49e2cca10da
Instruction ID: 79cfb422a44a564fe47d8178e5d599375828c72f9b5010a24dc0895b4cbbb9cb
Opcode Fuzzy Hash: fd349addbef8db6bc16e02884009c2f20530c78bbee0eb44006ce49e2cca10da
Instruction Fuzzy Hash: 5311C2B1205771BADB384B668C49EE7BEACFF227A4F00462AB10983180D7749844D6F0

Function 005B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005B34BA

Strings

edit, xrefs: 005B348F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 88914cc8d160de719ee3b1181f90c3e8281cb1d9b6062318618ba461749fc229
Instruction ID: ce79d942d23a15f59e0565ac3bf8c79f544617b29de5836f3a2eea194695a2ff
Opcode Fuzzy Hash: 88914cc8d160de719ee3b1181f90c3e8281cb1d9b6062318618ba461749fc229
Instruction Fuzzy Hash: 44115871100208AAEF228E689C48AEA3F6AFB55374F504724F961A71E0C671EC55AB64

Function 005B4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 005B4FCC

Strings

(_, xrefs: 005B4FA1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: MessageSend
String ID: (_
API String ID: 3850602802-3503187703
Opcode ID: a02d0224556ee858a7e1a6cb3fc485bfe4ac79c73a492fa0bb2ba541c1fda6b3
Instruction ID: 065c8e4512e07d5ebb003c3da22d6cf47fb3f0ad2c13ac01975e3f6baa045879
Opcode Fuzzy Hash: a02d0224556ee858a7e1a6cb3fc485bfe4ac79c73a492fa0bb2ba541c1fda6b3
Instruction Fuzzy Hash: CE21D07AA0011AEFCB15DFA8C9449EA7BBAFB4D340B104554FA05A7320D631E921EBA0

Function 00586C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

CharUpperBuffW.USER32(?,?,?), ref: 00586CB6
_wcslen.LIBCMT ref: 00586CC2

Strings

STOP, xrefs: 00586CBC, 00586CC1

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6e81ae56fbac6ad8665dffefaeb747b13750f56cd96dcd03b16cc27eb4ea6de
Instruction ID: 1d1caa929ce9ce40949144d2057b8b9e8af671611f330bffe211b486afdb6121
Opcode Fuzzy Hash: e6e81ae56fbac6ad8665dffefaeb747b13750f56cd96dcd03b16cc27eb4ea6de
Instruction Fuzzy Hash: BE01AD32A105278B8B21BEBDDC859BF7FA5BFA1714B500928EC62A6290EA31DD008750

Function 005390DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

(_, xrefs: 00577077, 0057709D

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID:
String ID: (_
API String ID: 0-3503187703
Opcode ID: bdfb7f99507bb62861e3f3d6f6de5db4c1e731298731a3d66282d3fbd3efc72d
Instruction ID: 178de53315a3c5b8298106396439120a19f054a692d8f2d9dcaedc98ff2893c1
Opcode Fuzzy Hash: bdfb7f99507bb62861e3f3d6f6de5db4c1e731298731a3d66282d3fbd3efc72d
Instruction Fuzzy Hash: F01130346046049FCB20DF18E854EA57BE6FB99320F148259F9699B2A0C7B1E945DF90

Function 00581CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00581D4C

Strings

ComboBox, xrefs: 00581CEB
ListBox, xrefs: 00581D16

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5dac1101a122c2238133b5ef460eacad987cc8d8a74b440fdd15dcb1a9512e06
Instruction ID: 211d10ab6667e09db949635ff7a1f74e0939be21b1f2018130efc7c9858dda4a
Opcode Fuzzy Hash: 5dac1101a122c2238133b5ef460eacad987cc8d8a74b440fdd15dcb1a9512e06
Instruction Fuzzy Hash: F601B575601629ABCB08FBA4DC55DFE7F6CFF96350F040A19AC62773C1EA3059098760

Function 00581BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00581C46

Strings

ComboBox, xrefs: 00581BE5
ListBox, xrefs: 00581C10

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8e4acb010ac2a82de608e8b24fc2441d4cadca574510a0cd8f11c0e4ac93a62c
Instruction ID: ab23cf887edc7a717ce43e6570cd360883d267ae3189e47a39cefab7a4f41357
Opcode Fuzzy Hash: 8e4acb010ac2a82de608e8b24fc2441d4cadca574510a0cd8f11c0e4ac93a62c
Instruction Fuzzy Hash: 2301A775B8111967CB08FB90D959DFF7FACBF56340F140029AC06772C1EA209E0987B5

Function 00581C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00581CC8

Strings

ComboBox, xrefs: 00581C69
ListBox, xrefs: 00581C94

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6a7689d0af018d5aeace62d41f72088b99ce6f29367e086da389fd4bde9a443b
Instruction ID: c28d64a95b5ed80c94a9cf5626d67727f2096edb80d4bf848b30abd0b1b4c920
Opcode Fuzzy Hash: 6a7689d0af018d5aeace62d41f72088b99ce6f29367e086da389fd4bde9a443b
Instruction Fuzzy Hash: 1C01ADB5B8012967CB04FBA5DA16AFE7FACBF52380F140025BC02772C1EA609F098775

Function 0053A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053A529

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Strings

,%_, xrefs: 0053A509
3yW, xrefs: 0053A545, 0053A54D, 0053A552

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%_$3yW
API String ID: 2551934079-2061247809
Opcode ID: 8f59172dedee50b6f0a5fdb0482be6844d75160909b677f7c8139c8d1967aa88
Instruction ID: 6dda7cc49a81c58f4136a2ee5e631a0345f0d6d3118cacc3de3fab8a82d17a3e
Opcode Fuzzy Hash: 8f59172dedee50b6f0a5fdb0482be6844d75160909b677f7c8139c8d1967aa88
Instruction Fuzzy Hash: 2C0126717016268BCE04F768EC1FAAD3F64BB86710F501428F6425B2C2EE64AD01CAA7

Function 00581D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00581DD3

Strings

ComboBox, xrefs: 00581D75
ListBox, xrefs: 00581DA0

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 624616ad03b7823ac664c0f063170890b04427fe0bf2d29b1a95135c9feb08ab
Instruction ID: 899f6ec828baf593ecda12e201828bcb003de1469a87150136ebda8861e3927b
Opcode Fuzzy Hash: 624616ad03b7823ac664c0f063170890b04427fe0bf2d29b1a95135c9feb08ab
Instruction Fuzzy Hash: 5EF0D1B1B4162967CB08BBA4DC56FFE7F6CBF42340F040925BC22772C1EA6059098364

Function 005B90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0057769C,?,?,?), ref: 005B9111

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 005B90F7

Strings

(_, xrefs: 005B90D6

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (_
API String ID: 982171247-3503187703
Opcode ID: 7136be1a0d5509041fd10f50e73ca4381c726ddbcc6485bfb865885ce2a71cd3
Instruction ID: 04623f6e2a8053df69057e326cdb03944833740289ea493e2fbf9e3e4a874240
Opcode Fuzzy Hash: 7136be1a0d5509041fd10f50e73ca4381c726ddbcc6485bfb865885ce2a71cd3
Instruction Fuzzy Hash: 5001BC31100219EBDB21AF18DC49FA63FA6FB95365F200528FA511A2E1CBB27815EB64

Function 005B8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005F3018,005F305C), ref: 005B81BF
CloseHandle.KERNEL32 ref: 005B81D1

Strings

\0_, xrefs: 005B818A

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0_
API String ID: 3712363035-3195368528
Opcode ID: 418e41443227a4b94de5ecd05e17b5d79694f01af60294271120cc37fffc4e59
Instruction ID: 48cdf59b6bea4366bd94ee0f176bf841c0d92124c1e3126d11aff4ec31a7749e
Opcode Fuzzy Hash: 418e41443227a4b94de5ecd05e17b5d79694f01af60294271120cc37fffc4e59
Instruction Fuzzy Hash: C7F054B1640314BAF3506B65AC4DFB73E9CEB14754F400422BB08D51A2DA799A04E3B8

Function 005A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A7493
_wcslen.LIBCMT ref: 005A74B9

Strings

3, 3, 16, 1, xrefs: 005A7483

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 17225793d47d5d5b5329e1ba97591e5d66bb53cceb0d0f55a6bcddc271d9814c
Instruction ID: cb2c3c93fa2ae0a3cbd3e1a43447d0380d510b7b4f71a5d81d1039204fe2ce3d
Opcode Fuzzy Hash: 17225793d47d5d5b5329e1ba97591e5d66bb53cceb0d0f55a6bcddc271d9814c
Instruction Fuzzy Hash: 0DE02B12254321109731127A9CC5ABF5F8DFFCE750710182BF981C2266EE948D92A3A0

Function 00580B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00580B23

Strings

AutoIt, xrefs: 00580B17
Error allocating memory., xrefs: 00580B1C

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8cf053187667ff4a831912b80087d55869f93612e53fccff4e4b5d3a2d987ac5
Instruction ID: f1926225109bd97344892daa991b88e52e09ad574608d8a6000cd1b77d57c30c
Opcode Fuzzy Hash: 8cf053187667ff4a831912b80087d55869f93612e53fccff4e4b5d3a2d987ac5
Instruction Fuzzy Hash: 99E0483228435927D25436957C0BFC97F88FF45B55F10042AFB98995C38AE1745057AD

Function 00540D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0053F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00540D71,?,?,?,0052100A), ref: 0053F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0052100A), ref: 00540D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0052100A), ref: 00540D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00540D7F

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ac6ef73ddda01a73652725faa3ba0154fab2bc0a849f2040c595e974e85d1e93
Instruction ID: 679c36e6e8f91874d72358bf22f4fd340180e6762c31833e3bc18dc923d09813
Opcode Fuzzy Hash: ac6ef73ddda01a73652725faa3ba0154fab2bc0a849f2040c595e974e85d1e93
Instruction Fuzzy Hash: 44E06D746007118BD7A09FB8E808796BFE4BF14748F104A2DE582C6691DBB5F4489BA1

Function 0053E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053E3D5

Strings

8%_, xrefs: 0053E3CA
0%_, xrefs: 0053E3B5

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%_$8%_
API String ID: 1385522511-3458377328
Opcode ID: 006f57e015d23491d89a4b62df1aa25ee71b929a6ce0a75b87b3f1d67f24e18f
Instruction ID: 1cdb38b1b73f3a195c889a237753dc1d8925e3ae9075f95b66e5a1d710ea649d
Opcode Fuzzy Hash: 006f57e015d23491d89a4b62df1aa25ee71b929a6ce0a75b87b3f1d67f24e18f
Instruction Fuzzy Hash: A1E026B1484915CBC6049718F85AAA83BD3BB44320F202964E202CF1D19B383C49E644

Function 00593017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0059302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00593044

Strings

aut, xrefs: 00593038

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b9b49d1bd36b8f7ee07a0ee45cf80b3b0e3acd270222351c272dd264a23e0745
Instruction ID: 07490903c561b8773ea497d0df2f5a71b4f9f95295514ce91bfc9f8ffda609c6
Opcode Fuzzy Hash: b9b49d1bd36b8f7ee07a0ee45cf80b3b0e3acd270222351c272dd264a23e0745
Instruction Fuzzy Hash: A7D05B7550031467DA6097959C0DFC77E6CD704750F0002E17795D2091DAB0A544CBD4

Function 0057D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0057D220

Strings

%.3d, xrefs: 0057D22B
X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fe2db2b5e1d5c35ef5aa2cbb9cd2ae82612decc52b44b1b3ae1815f883ab20b6
Instruction ID: de1d134c241f4339fc0bf225f37b094ed8452967ead0160a2d4cbfb7055e8351
Opcode Fuzzy Hash: fe2db2b5e1d5c35ef5aa2cbb9cd2ae82612decc52b44b1b3ae1815f883ab20b6
Instruction Fuzzy Hash: 42D012A9C08109EACBD096D0EC498BDBF7CBF58301F50CC52FD4AA1041E624D5097771

Function 005B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005B236C
PostMessageW.USER32(00000000), ref: 005B2373

Part of subcall function 0058E97B: Sleep.KERNELBASE ref: 0058E9F3

Strings

Shell_TrayWnd, xrefs: 005B2365

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f5c5c838a62ad88d55227ce94afd462a9d04956ae7b883a22ac7efa1e27f709a
Instruction ID: efc477f8e8a6d7f46556470ed25a778c12681965aff194e059f7a09690596006
Opcode Fuzzy Hash: f5c5c838a62ad88d55227ce94afd462a9d04956ae7b883a22ac7efa1e27f709a
Instruction Fuzzy Hash: B9D0C9323C13517AE6B8BB719C0FFD66E14AB65B50F004A16B685AA1D0D9E0B8458A58

Function 005B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005B233F

Part of subcall function 0058E97B: Sleep.KERNELBASE ref: 0058E9F3

Strings

Shell_TrayWnd, xrefs: 005B2325

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d161c82888432e31737efde77f2fe080a3cc2c703b6e8a5f8c44c107ba27ebd3
Instruction ID: b7763acd550721bbfd867b6e4aa37ebe7d81d87742558aaa297a89a4a2046ecf
Opcode Fuzzy Hash: d161c82888432e31737efde77f2fe080a3cc2c703b6e8a5f8c44c107ba27ebd3
Instruction Fuzzy Hash: A4D0A932380300B6E2B8BB309C0FFD66E14AB20B00F000A02B685AA0D0C8E0B8048A08

Function 0055BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0055BE93
GetLastError.KERNEL32 ref: 0055BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0055BEFC

Memory Dump Source

Source File: 00000000.00000002.2127331085.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.2127283329.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127590452.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127756728.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127823164.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 74a14b0790ff8bd0742aa93972991e89cdf19dd5cc36060312de2cee6f44bd1e
Instruction ID: f6cc87253b7263c5646c4adb944c04176751fc7fdc0090e625f713b88aa19b0b
Opcode Fuzzy Hash: 74a14b0790ff8bd0742aa93972991e89cdf19dd5cc36060312de2cee6f44bd1e
Instruction Fuzzy Hash: 4841E734604206AFEF218F68CCADABA7FA8FF41312F14416AFD59571A1DB309D08DB60

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=543619973&timestamp=1727886148823 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=gxjM_liNSBHx7urukYQZvBbgchk4hE3lpoGI_9HvFvtFNO8kgSCQG7EBfU2QNGcRYiABuixNMEx4jFO2J-OSfEnFqhCKbgn8us8pb2ztvJ9L1PWYJpKewjKFTkRCXr3s3ETEmLZyvgrzKJsRGuAbid-8Pg-XG5GOT_IR9Lh5ikzttpFbhg
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UG1wZ2T6gmUyRvM&MD=UuCePC+o HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=UG1wZ2T6gmUyRvM&MD=UuCePC+o HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Chrome Cache Entry: 97

Chrome Cache Entry: 98

Chrome Cache Entry: 99

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 005242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00562BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 005AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00522CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Function 0056065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0052344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00522B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre