Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524380
MD5:	ba024037d5ff82bc4506eb3ad4b4bb11
SHA1:	7f5f753d55c346bda9304c3803adab6d2e691bce
SHA256:	600b3835565b5740ced26e3d59b10fce5499c58733b295f6d2683e5166f9fa81
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BA024037D5FF82BC4506EB3AD4B4BB11)

taskkill.exe (PID: 432 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 5052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5552	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_95.6.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_95.6.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2107702915.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_101.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_95.6.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_95.6.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_101.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_101.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_95.6.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_95.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_95.6.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_95.6.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_95.6.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_101.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_95.6.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_95.6.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_95.6.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_101.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_95.6.dr	String found in binary or memory: https://www.google.com
Source: chromecache_95.6.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_101.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_95.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_95.6.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2040379092.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_95.6.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0038EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0038EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0038ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0038ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0038EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0037AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_003A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_26fe0d03-f
Source: file.exe, 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_96d98d1d-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1b36e6b1-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_931b2bcd-7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0037D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00371201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00371201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0037E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031BF40	0_2_0031BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00318060	0_2_00318060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00382046	0_2_00382046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00378298	0_2_00378298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034E4FF	0_2_0034E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034676B	0_2_0034676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035E781	0_2_0035E781
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A4873	0_2_003A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033CAA0	0_2_0033CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031CAF0	0_2_0031CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032CC39	0_2_0032CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00346DD9	0_2_00346DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032B119	0_2_0032B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003191C0	0_2_003191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00331394	0_2_00331394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00331706	0_2_00331706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033781B	0_2_0033781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00317920	0_2_00317920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032997D	0_2_0032997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003319B0	0_2_003319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00337A4A	0_2_00337A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00331C77	0_2_00331C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00337CA7	0_2_00337CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0039BE44	0_2_0039BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349EEE	0_2_00349EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00331F32	0_2_00331F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00319CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0032F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00330A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@34/38@12/7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003837B5 GetLastError,FormatMessageW,

0_2_003837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003710BF AdjustTokenPrivileges,CloseHandle,		0_2_003710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0039A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0039A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0038648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0038648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003142A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00330A76 push ecx; ret

0_2_00330A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0032F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_003A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96699

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Users\user\Desktop\file.exe TID: 1532	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1532	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1532	Thread sleep count: 235 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0037DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034C2A2 FindFirstFileExW,	0_2_0034C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003868EE FindFirstFileW,FindClose,	0_2_003868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0038698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0037D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0037D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00389642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00389642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0038979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00389B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00389B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00385C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00385C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003142DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96174

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0038EAA2 BlockInput,

0_2_0038EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00342622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00334CE8 mov eax, dword ptr fs:[00000030h]

0_2_00334CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00370B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00370B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00342622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003309D5 SetUnhandledExceptionFilter,	0_2_003309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00330C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00330C21

Source: C:\Users\user\Desktop\file.exe

0_2_00371201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00352BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00352BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0037B226 SendInput,keybd_event,

0_2_0037B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003922DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00370B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00371663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00371663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00330698 cpuid

0_2_00330698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00388195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00388195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0036D27A GetUserNameW,

0_2_0036D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0034B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5552, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5552, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00391204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00391204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00391806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00391806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	172.217.18.14	true	false	unknown
www3.l.google.com	142.250.185.142	true	false	unknown
play.google.com	172.217.18.14	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
youtube.com	142.250.186.78	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_95.6.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_95.6.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_101.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_95.6.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_101.6.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_95.6.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_95.6.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_95.6.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_95.6.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_95.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	youtube.com	United States	15169	GOOGLEUS	false
172.217.18.14	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	www3.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524380
Start date and time:	2024-10-02 18:30:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@34/38@12/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 44 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131, 142.250.186.174, 74.125.133.84, 34.104.35.123, 142.250.185.138, 142.250.184.234, 142.250.184.202, 142.250.186.106, 142.250.185.74, 142.250.186.42, 172.217.16.202, 142.250.185.106, 142.250.185.234, 142.250.185.202, 172.217.16.138, 142.250.185.170, 142.250.186.138, 142.250.186.74, 172.217.18.10, 216.58.206.74, 142.250.186.99, 172.217.18.3, 216.58.206.42, 142.250.186.170, 142.250.181.234, 192.229.221.95, 2.16.100.168, 173.194.76.84, 217.20.57.40
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	test.exe	Get hash	malicious	Babadeda	Browse	23.1.237.91
	exit.exe	Get hash	malicious	Babadeda	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.12.23.50
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.12.23.50

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\5715a8b7-d253-44c6-84cc-93a173bad1dd (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	6481
Entropy (8bit):	7.936096214075958
Encrypted:	false
SSDEEP:	192:cfxTTMoALWt8J9crwcPaHp8nBalWvTgINwoItPma9Yin:WxTTMut8JOrWp8n8KMINw7ma9Yi
MD5:	0998DBE50E98E23407CF0DD005B764D7
SHA1:	B0B546166E997E9EF0A82EEB5D5C3BA87E5A4573
SHA-256:	17CE81A8E92C55D2CE6A845F40AF1B090B6304B331B8E7AF64C75F6F304447BB
SHA-512:	F5044CA8E38D88DAC0CE611F5EBCD016952D2DF11745B58AA40FCCC6C471C8CA6B4C9E479E8236EF1E22D1B4568EB5B9E9BD246CFD916498CB79F0B9A062637B
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............y.x...2LP.n9O.y.$M..f..J....E../..b..=1n.9..&Z...A.h&1. ...'\|..{f..h../@.....6}L..^.k.k9.i..T.0...0.-:.N.\..O..J......y...t&.Z.]....-.%.J%...! o...jG ..7.p...!.=K..A"...../.....j=Sv....$.....t..........6.....I..$1.q..5..H....w.wDs.;......@.9.j...44&.<....5.7............:<.y.:....9V;.....O...c.q.]fC.3._..f........`,%oO........[&.L...$..xD.Ru......a.>I.B.....l..d....J...r..`......I.Rn\-_%-.#0...b]d...~4

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 15:31:52 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9823337912014933
Encrypted:	false
SSDEEP:	48:8D2dampsT6mKOR/HDidAKZdA19ehwiZUklqehsJy+3:8gsnNBJy
MD5:	2ADC426C76B9070C86C5CC984964AB91
SHA1:	A2BC0207C94E344F6ACB4FF005034CDF097F86A9
SHA-256:	62BC3C272564D642DDD923C6CB2A94897B8BA35DD1BF34F3404DF90F975CBD68
SHA-512:	A9B320A6F13C447BD8F8E4AE1ED8DC51355738B06A01321F126E63331A34B62F6ED50FB8AEC40C4CF40225A0011EA16C9CB302A30B0E24AB263636CBBA07697F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 15:31:52 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.999384776301075
Encrypted:	false
SSDEEP:	48:8G22dampsT6mKOR/HDidAKZdA1weh/iZUkAQkqehxJy+2:8Gfsnn9Q+Jy
MD5:	4E8B89B542A84D9194FCA066A295793A
SHA1:	D917EC6A93647C8F62FC6F974BCA92CA7EF7BE04
SHA-256:	ABFBF7A85DC1BAF512FF579AFB0E7FBC1970A2ADDA8D990FCE90F98BE7500698
SHA-512:	81C1C17D083F79D7FBC668137B9B0E7E62E634E3F5F63123BC7924491EE56B4A11DB9DF982C98EE8E56648AC4AA743931E5C1E683216D4493A2C2A6D573CB987
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......".....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.009489769071561
Encrypted:	false
SSDEEP:	48:8xi2dampsT6mKORsHDidAKZdA14tseh7sFiZUkmgqeh7srJy+BX:8xzsnyndJy
MD5:	D455AF319A9018360977712AB284696C
SHA1:	FC0816416101A35B86804B36A284901456E195EE
SHA-256:	0A089895A5737F7019C727EB6631BEC981CB44FBDBD1DFDCEF28B79D8E2A3CF3
SHA-512:	C733F25C21721DCB43E1167036E287EEB98AB17495BF02C79DA01B0A1ABF766FD97E3FFA52E42DBD155B4E47E40BDB481D186A4F70BF73C2FBCC20D12E81540C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 15:31:52 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.996358960102833
Encrypted:	false
SSDEEP:	48:8g+2dampsT6mKOR/HDidAKZdA1vehDiZUkwqeh1Jy+R:8gHsnEjJy
MD5:	35880DA668038DF3D9F9D5454C833687
SHA1:	AC7E264798551A552018D0E3259F0CBF8AE92DC6
SHA-256:	20E8DDCE37C1E4A7FA4375B013709ED665BC098D5B8852454B63B14BDACA8BA2
SHA-512:	930D4B408C8B6677D530C807238DD5FD5E6EA5B4B965A7F1813C32FEC87D6945C836B51556003903FB9A0909D1781EAFC2BBD326DEDAA92D9F4ED590BDF9FC6E
Malicious:	false
Preview:	L..................F.@.. ...$+.,....tk......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 15:31:52 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.98869089017179
Encrypted:	false
SSDEEP:	48:8l2dampsT6mKOR/HDidAKZdA1hehBiZUk1W1qehnJy+C:8OsnE9HJy
MD5:	FC0FC3192111215ADCE19027229E7D6E
SHA1:	4032783BD29EFB87C05DE398266F1E94659DC3EA
SHA-256:	6B7D28077A9B2C96A5B8019C9E8B0BC561145B61F1CDAF479BC5600D904A776C
SHA-512:	201D3A67A14602949649CC6B656B1F102383EAEBB96AE0E8D1C18E7AE5216B5632D85FF854C164FF2DF732E73290EB61C03B441D3FEB9A319A2F4D3E5F238540
Malicious:	false
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 15:31:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9949310232771085
Encrypted:	false
SSDEEP:	48:8e2dampsT6mKOR/HDidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbdJy+yT+:8nsnqT/TbxWOvTbdJy7T
MD5:	8DD177E6EBD0720704255D56EA7931EE
SHA1:	360D13C35128D254886C2A4C74BFB5497C19D2F8
SHA-256:	5821CBE01788B4436E99D8782F3A4EAF7AA2514F283A5005CF65A6B8C87E70FB
SHA-512:	F0F43F6759F60717BB953CD3EF887BFD483259D73A4D6AF0889DCBF602ABD56028305B89464267FA7627C62D4EBEAD01FC1EB7F922FCF05F5B31DA34B6080800
Malicious:	false
Preview:	L..................F.@.. ...$+.,....c.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IBY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VBY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VBY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VBY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............-T......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\7aeca451-4856-49d0-bb18-db1e3e273720.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	6481
Entropy (8bit):	7.936096214075958
Encrypted:	false
SSDEEP:	192:cfxTTMoALWt8J9crwcPaHp8nBalWvTgINwoItPma9Yin:WxTTMut8JOrWp8n8KMINw7ma9Yi
MD5:	0998DBE50E98E23407CF0DD005B764D7
SHA1:	B0B546166E997E9EF0A82EEB5D5C3BA87E5A4573
SHA-256:	17CE81A8E92C55D2CE6A845F40AF1B090B6304B331B8E7AF64C75F6F304447BB
SHA-512:	F5044CA8E38D88DAC0CE611F5EBCD016952D2DF11745B58AA40FCCC6C471C8CA6B4C9E479E8236EF1E22D1B4568EB5B9E9BD246CFD916498CB79F0B9A062637B
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0.........:.2.W.))...I...5_U(I7nz...2[.;..H...S.../...nb%Yx.6.]i.....u...PDF.i.LJK.?....l.....R...\|...j...C..j!.%'..s....[."...Gy...=l)..=.l\....4..Q!$e.=...C.1.%d..B...K.[.l,.....7......y...$7J..G&TT..W.-=jgs[...&.@/.j$....+...yk\|l^..Km)\Y..x..}OCXf.....A5s.7..8..o....L..(p[...^e......?&X..:~,.)..C..n...Hh.....<..N..0.....woa6....'&y....tH..7@..a.t.....F..YQU......<......m!..^.#f.'F".....lt..97U3f...WM....]Lw...)..x...)..Hy Z...l.a.)J~'.y.o.NS.#.,6.D.9UMW..l>.pa.WG.^..L,..B...."p.Y.....<............y.x...2LP.n9O.y.$M..f..J....E../..b..=1n.9..&Z...A.h&1. ...'\|..{f..h../@.....6}L..^.k.k9.i..T.0...0.-:.N.\..O..J......y...t&.Z.]....-.%.J%...! o...jG ..7.p...!.=K..A"...../.....j=Sv....$.....t..........6.....I..$1.q..5..H....w.wDs.;......@.9.j...44&.<....5.7............:<.y.:....9V;.....O...c.q.]fC.3._..f........`,%oO........[&.L...$..xD.Ru......a.>I.B.....l..d....J...r..`......I.Rn\-_%-.#0...b]d...~4

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	744362
Entropy (8bit):	5.791334302173818
Encrypted:	false
SSDEEP:	6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/Q:Nfd8j91/Q
MD5:	5998B16F22823CDA571E9767D2F000F5
SHA1:	8F191C974AF3FDEF368C7A2706A1C81C7F379ADB
SHA-256:	7FFEA98E198646D080873710AD217394C63EF97E6B8F5DD0EBF5E3BB8B7AED8E
SHA-512:	951A410744AFBD905141EB68846DCC707F36B6A3A7C3734633B98064441E417A14F52B1F3FB347114ED15E7899D3554EA9745EACF7076955119AA0EF9ADD206E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGukuT5y8NnMp7TQhoXvWQoBnYT8w/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x39e1fc40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4067
Entropy (8bit):	5.363457972758152
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9cLw:bCMZXVeR6jiosVrqtyzBaImyAKw9z
MD5:	B027BF10F968F37628EB698B2CF46D8E
SHA1:	0C9801E4FF3BE18102E6E22246B4262FCC6CE011
SHA-256:	98608C8414932B6F029948A323B1236EFB96861306FD1EDEB6CE47E180392B47
SHA-512:	3B1E5A3B247273F025EACF389F98BC139F8453ECEC7A2EC762A4E3279F220B7BED2CB23CD5630E92ED03187C514956DF814E9450FFAA10BFE312633B445DBEF1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9210
Entropy (8bit):	5.404371326611379
Encrypted:	false
SSDEEP:	192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
MD5:	21E893B65627B397E22619A9F5BB9662
SHA1:	F561B0F66211C1E7B22F94B4935C312AB7087E85
SHA-256:	FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
SHA-512:	3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698791
Entropy (8bit):	5.595243292922648
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XIQqS7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842IQqHJ09
MD5:	7A4AEFC2F596D19F522738DB34C5A680
SHA1:	7F6E9BE8B3C1450075365A31FF6E4B49F1D35BA7
SHA-256:	61D7FF7565945545C0D823CCFC5DB5D09C8714FBF8AD77994F389F08289124B2
SHA-512:	7D80188B002DB3ED7360B9B236DE435F2008345ECEC00FDE39412BE39DE5C08FD80CBD2D7370D0DBB98F4BCCA0CEF147AD9E7935AC2894DB55D81C1B32EB647E
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEH54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlHHHUTOu8QCHKV2CSS4q8_ZgreBVQ/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582446404075305
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	ba024037d5ff82bc4506eb3ad4b4bb11
SHA1:	7f5f753d55c346bda9304c3803adab6d2e691bce
SHA256:	600b3835565b5740ced26e3d59b10fce5499c58733b295f6d2683e5166f9fa81
SHA512:	38de539221f6277c245fe1313f5fb98ea12dd3abaf7f3c0e2d81b795c9e718b59fcdb8589a5ded09a6a8587d1d1fd6179d1c03e8a7567a412bd3e7343eca78ee
SSDEEP:	12288:OqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgatTf:OqDEvCTbMWu7rQYlBQcBiT6rprG8apf
TLSH:	66159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD6D3D [Wed Oct 2 15:56:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA6A8FD9673h
jmp 00007FA6A8FD8F7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6A8FD915Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6A8FD912Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA6A8FDBD1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA6A8FDBD68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA6A8FDBD51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9958	0x9a00	031afcae4053544fbeb5c964ff618848	False	0.30420556006493504	data	5.278143191960508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xc20	data			1.0035438144329898
RT_GROUP_ICON	0xdd3d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd450	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd464	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd478	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd48c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd568	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:31:43.629160881 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:43.629170895 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:43.722909927 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:51.143563986 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.143630028 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.143704891 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.144460917 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.144500017 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.841164112 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.841414928 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.841433048 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.842207909 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.842286110 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.843214989 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.843278885 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.844101906 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.844186068 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.844312906 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:51.844324112 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:51.887528896 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:52.124063969 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:52.124165058 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:52.124521017 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:52.124598980 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:52.124692917 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:52.126306057 CEST	49708	443	192.168.2.5	142.250.186.78
Oct 2, 2024 18:31:52.126322985 CEST	443	49708	142.250.186.78	192.168.2.5
Oct 2, 2024 18:31:52.147452116 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.147516966 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.147744894 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.147922993 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.147955894 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.910650015 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.912177086 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.912189960 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.912498951 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.912554026 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.913037062 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.913105965 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.929388046 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.929438114 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.931482077 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:52.931489944 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:52.981241941 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.219769001 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:53.219794989 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:53.219841957 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.219855070 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:53.222477913 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:53.222523928 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.229096889 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.229115009 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 2, 2024 18:31:53.229129076 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.229159117 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:31:53.231251001 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:53.231317997 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:53.325000048 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:55.003292084 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 18:31:55.003400087 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:31:55.950005054 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:55.950035095 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:55.950160027 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:55.950289011 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:55.950299978 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:55.952961922 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:55.953023911 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:55.953107119 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:55.955110073 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:55.955121994 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.627108097 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:56.627307892 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:56.627335072 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:56.628195047 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:56.628273010 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:56.629053116 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.629137993 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.629422903 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:56.629481077 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:56.632546902 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.632574081 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.632952929 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.684289932 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:56.684298992 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:31:56.684325933 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.691859007 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.731184959 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:31:56.739403009 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.904184103 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.904253960 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.904314995 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.907545090 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.907561064 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.907576084 CEST	49719	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.907584906 CEST	443	49719	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.970442057 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.970530987 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:56.970628023 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.971118927 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:56.971154928 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:57.722528934 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:57.722599983 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:57.938231945 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:57.938307047 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:57.938648939 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:57.941066980 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:57.987405062 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:58.128360987 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:58.128464937 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:58.128537893 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:58.129268885 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:58.129270077 CEST	49721	443	192.168.2.5	184.28.90.27
Oct 2, 2024 18:31:58.129304886 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:31:58.129332066 CEST	443	49721	184.28.90.27	192.168.2.5
Oct 2, 2024 18:32:01.108676910 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:01.108704090 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:01.108772993 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:01.109884977 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:01.109899998 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.041991949 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.042260885 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.042279959 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.042996883 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.043067932 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.044008017 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.044091940 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.045941114 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.046021938 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.046130896 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.091337919 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.091348886 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.137998104 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.336344957 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.336388111 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:02.336481094 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.336705923 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.336724997 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:02.376349926 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.376369953 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:02.377301931 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.377715111 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:02.377731085 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:02.380157948 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.380703926 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.380745888 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.380774975 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.380804062 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.380831957 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.381522894 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.381655931 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.381671906 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.386962891 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.387115955 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.387216091 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.387238026 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.390094042 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.392476082 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.392571926 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.398072958 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.398116112 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.398180008 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.398189068 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.398236990 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.464807987 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.464854956 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.464904070 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.464930058 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.465086937 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.465375900 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.465487003 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.469646931 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.469739914 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.469749928 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.469769001 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.469835997 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.476147890 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.476237059 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.481488943 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.481561899 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.481595039 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.488156080 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.488254070 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.488265991 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.494344950 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.494679928 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:02.494755030 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.494954109 CEST	49735	443	192.168.2.5	142.250.185.142
Oct 2, 2024 18:32:02.494968891 CEST	443	49735	142.250.185.142	192.168.2.5
Oct 2, 2024 18:32:03.001933098 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.025084019 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.025099993 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.025463104 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.025522947 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.026074886 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.026134968 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.029427052 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.029484987 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.032326937 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.032335997 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.034158945 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.047508001 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.047518015 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.048047066 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.048113108 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.049051046 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.049110889 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.049417973 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.049518108 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.050710917 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.050719976 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.074928045 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.092462063 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.304104090 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.304234028 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.304295063 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.304781914 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.304800034 CEST	443	49737	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.304815054 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.304862976 CEST	49737	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.306073904 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.306112051 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.306184053 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.306750059 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.306766033 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.341958046 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.342179060 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.342255116 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.346822023 CEST	49738	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.346832991 CEST	443	49738	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.348000050 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.348047972 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.348128080 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.349205017 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.349220991 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.749697924 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:03.749749899 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:03.749840021 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:03.750937939 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:03.750969887 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:03.951637983 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.951889038 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.951900959 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.952435017 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.952510118 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.953438044 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.953500986 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.953640938 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.953716993 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.953788996 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.953813076 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.953933954 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:03.997407913 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:03.997416019 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.016752958 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.016959906 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.017025948 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.017560005 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.017632961 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.018556118 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.018615961 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.018726110 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.018810034 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.018867970 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.018868923 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.018906116 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.044359922 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.059988022 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.060010910 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.106790066 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.168935061 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.169848919 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.170023918 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.170726061 CEST	49742	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.170749903 CEST	443	49742	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.240448952 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.242460966 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.242645025 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.243344069 CEST	49743	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:04.243376970 CEST	443	49743	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:04.286303997 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:04.331403971 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.339831114 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:04.339965105 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:04.343198061 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:04.343209982 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:04.343592882 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:04.388009071 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:04.560461044 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.560621023 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.560678959 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:04.560699940 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.560779095 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.560873032 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:04.560880899 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.561045885 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:04.561100960 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:04.562309027 CEST	49718	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:04.562320948 CEST	443	49718	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:05.135974884 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.183401108 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618663073 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618690968 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618700981 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618721008 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618758917 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.618766069 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618804932 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.618837118 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.618837118 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.618864059 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.619069099 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.619132042 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.619147062 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.619184017 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:05.619234085 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:05.634417057 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:05.634521961 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:05.634907961 CEST	49754	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:05.634944916 CEST	443	49754	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:05.635014057 CEST	49754	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:05.635310888 CEST	49754	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:05.635327101 CEST	443	49754	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:05.639632940 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:05.639759064 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:06.420882940 CEST	443	49754	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:06.420979023 CEST	49754	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:06.428570986 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:06.428611994 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:06.428641081 CEST	49746	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:06.428658009 CEST	443	49746	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:09.721374989 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:09.721401930 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:09.721468925 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:09.721869946 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:09.721880913 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.385979891 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.433768034 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.494510889 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.494525909 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.495043993 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.517858982 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.517910957 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.521864891 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.521864891 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.521902084 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.854343891 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.855042934 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:10.855104923 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.856271982 CEST	49757	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:10.856285095 CEST	443	49757	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:25.585424900 CEST	443	49754	23.1.237.91	192.168.2.5
Oct 2, 2024 18:32:25.585513115 CEST	49754	443	192.168.2.5	23.1.237.91
Oct 2, 2024 18:32:33.250423908 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.250451088 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.250521898 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.250854015 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.250863075 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.379420042 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.379472017 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.379532099 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.379940033 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.379959106 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.911451101 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.911744118 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.911757946 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.912878036 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.913156986 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.913222075 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.913316965 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.913331032 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:33.913345098 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:33.965925932 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.022902012 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.027404070 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.027415037 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.027935028 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.028475046 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.028475046 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.028491020 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.028556108 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.028609037 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.075417042 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.075426102 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.214857101 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.215646029 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.215735912 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.330637932 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.330956936 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.333363056 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.342978001 CEST	49758	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.342998981 CEST	443	49758	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.344743013 CEST	49759	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.344755888 CEST	443	49759	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.938987970 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.939030886 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:34.939100981 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.939423084 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:34.939440966 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.592261076 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.592580080 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.592601061 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.593102932 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.593385935 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.593456984 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.593540907 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.593559027 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.593579054 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.894790888 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.894956112 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:35.895348072 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.895684004 CEST	49760	443	192.168.2.5	172.217.18.14
Oct 2, 2024 18:32:35.895699978 CEST	443	49760	172.217.18.14	192.168.2.5
Oct 2, 2024 18:32:42.771341085 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:42.771420002 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:42.771523952 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:42.772078991 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:42.772114992 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.362761974 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.362967968 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.368089914 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.368110895 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.368488073 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.382796049 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.423396111 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.580117941 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.580138922 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.580154896 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.580197096 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.580209017 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.580235958 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.580265045 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.581628084 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.581691027 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.581693888 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.581721067 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.581751108 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.581909895 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:43.581957102 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.588258982 CEST	49761	443	192.168.2.5	20.12.23.50
Oct 2, 2024 18:32:43.588272095 CEST	443	49761	20.12.23.50	192.168.2.5
Oct 2, 2024 18:32:55.654232979 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:55.654280901 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:55.654377937 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:55.654618979 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:55.654637098 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:56.307842016 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:56.308229923 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:56.308253050 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:56.308588982 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:56.308984995 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:32:56.309043884 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:32:56.357085943 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:33:04.946037054 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:04.946079969 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:04.946154118 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:04.946387053 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:04.946400881 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.583594084 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.584269047 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.584336996 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.584882975 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.585227966 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.585320950 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.585427999 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.586328983 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.586344004 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.883789062 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.884367943 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:05.884445906 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.884557009 CEST	49765	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:05.884589911 CEST	443	49765	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:06.209331036 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:33:06.209428072 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:33:06.209533930 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:33:07.062870979 CEST	49763	443	192.168.2.5	216.58.206.36
Oct 2, 2024 18:33:07.062895060 CEST	443	49763	216.58.206.36	192.168.2.5
Oct 2, 2024 18:33:07.063327074 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.063361883 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.063453913 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.063868999 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.063883066 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.739011049 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.739392042 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.739427090 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.739748001 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.740072012 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.740132093 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:07.740294933 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.740320921 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:07.740329027 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:08.042129993 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:08.042943001 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:08.043001890 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:08.043345928 CEST	49767	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:08.043368101 CEST	443	49767	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:35.782536030 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:35.782593966 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:35.782681942 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:35.782989979 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:35.783000946 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.417182922 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.417714119 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.417737007 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.418118954 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.418476105 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.418548107 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.418625116 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.418642998 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.418653011 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.715334892 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.716032028 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:36.716098070 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.716244936 CEST	49769	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:36.716255903 CEST	443	49769	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:38.469156027 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:38.469192028 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:38.469254971 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:38.469542980 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:38.469551086 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.066663027 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.067050934 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.067069054 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.067394018 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.067655087 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.067698956 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.067801952 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.067847967 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.067872047 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.381997108 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.382167101 CEST	443	49770	216.58.206.46	192.168.2.5
Oct 2, 2024 18:33:40.382210016 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.382849932 CEST	49770	443	192.168.2.5	216.58.206.46
Oct 2, 2024 18:33:40.382862091 CEST	443	49770	216.58.206.46	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:31:51.106010914 CEST	56282	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:51.106198072 CEST	54336	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:51.118868113 CEST	53	56282	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:51.118882895 CEST	53	54336	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:51.120218992 CEST	53	58438	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:51.131599903 CEST	53	65382	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:52.129360914 CEST	56766	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:52.129360914 CEST	63329	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:52.145823956 CEST	53	56766	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:52.146946907 CEST	53	63329	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:52.171689034 CEST	53	60033	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:55.593036890 CEST	55631	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:55.593184948 CEST	62531	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:31:55.947361946 CEST	53	62531	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:55.947781086 CEST	53	58736	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:55.947935104 CEST	53	55631	1.1.1.1	192.168.2.5
Oct 2, 2024 18:31:58.029647112 CEST	53	55609	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:01.048572063 CEST	61528	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:32:01.048715115 CEST	53975	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:32:01.058756113 CEST	53	61528	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:01.059370995 CEST	53	53975	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:02.297858000 CEST	49849	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:32:02.298152924 CEST	64748	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:32:02.307435989 CEST	53	49849	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:02.309643984 CEST	53	64748	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:09.138940096 CEST	53	54707	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:28.026700020 CEST	53	50004	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:50.773643970 CEST	53	51443	1.1.1.1	192.168.2.5
Oct 2, 2024 18:32:50.978645086 CEST	53	52090	1.1.1.1	192.168.2.5
Oct 2, 2024 18:33:02.744211912 CEST	53	55220	1.1.1.1	192.168.2.5
Oct 2, 2024 18:33:04.937859058 CEST	50788	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:33:04.937990904 CEST	52778	53	192.168.2.5	1.1.1.1
Oct 2, 2024 18:33:04.945281029 CEST	53	52778	1.1.1.1	192.168.2.5
Oct 2, 2024 18:33:04.945328951 CEST	53	50788	1.1.1.1	192.168.2.5
Oct 2, 2024 18:33:19.016582966 CEST	53	62083	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 18:31:51.106010914 CEST	192.168.2.5	1.1.1.1	0x9ca	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:51.106198072 CEST	192.168.2.5	1.1.1.1	0x89ad	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:31:52.129360914 CEST	192.168.2.5	1.1.1.1	0x82a8	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.129360914 CEST	192.168.2.5	1.1.1.1	0x27ee	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:31:55.593036890 CEST	192.168.2.5	1.1.1.1	0xe282	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:55.593184948 CEST	192.168.2.5	1.1.1.1	0xad71	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:32:01.048572063 CEST	192.168.2.5	1.1.1.1	0x5ed	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:32:01.048715115 CEST	192.168.2.5	1.1.1.1	0xf394	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:32:02.297858000 CEST	192.168.2.5	1.1.1.1	0x71de	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:32:02.298152924 CEST	192.168.2.5	1.1.1.1	0xf24d	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:33:04.937859058 CEST	192.168.2.5	1.1.1.1	0xf8d8	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:33:04.937990904 CEST	192.168.2.5	1.1.1.1	0x6052	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 18:31:51.118868113 CEST	1.1.1.1	192.168.2.5	0x9ca	No error (0)	youtube.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:51.118882895 CEST	1.1.1.1	192.168.2.5	0x89ad	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.145823956 CEST	1.1.1.1	192.168.2.5	0x82a8	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:31:52.146946907 CEST	1.1.1.1	192.168.2.5	0x27ee	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:31:52.146946907 CEST	1.1.1.1	192.168.2.5	0x27ee	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:31:55.947361946 CEST	1.1.1.1	192.168.2.5	0xad71	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:31:55.947935104 CEST	1.1.1.1	192.168.2.5	0xe282	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:32:01.058756113 CEST	1.1.1.1	192.168.2.5	0x5ed	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:32:01.058756113 CEST	1.1.1.1	192.168.2.5	0x5ed	No error (0)	www3.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:32:01.059370995 CEST	1.1.1.1	192.168.2.5	0xf394	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:32:02.307435989 CEST	1.1.1.1	192.168.2.5	0x71de	No error (0)	play.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:33:04.945328951 CEST	1.1.1.1	192.168.2.5	0xf8d8	No error (0)	play.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	142.250.186.78	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:31:51 UTC	859	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:31:52 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Wed, 02 Oct 2024 16:31:52 GMT Date: Wed, 02 Oct 2024 16:31:52 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:31:52 UTC	877	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:31:53 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:31:53 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script' Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:01:53 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=S-2Hs7xKwmY; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=0Kuwvu4YoY4; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:31:53 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgMA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:31:53 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:31:56 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:31:56 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=87234 Date: Wed, 02 Oct 2024 16:31:56 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49721	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:31:57 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:31:58 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=87176 Date: Wed, 02 Oct 2024 16:31:58 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 16:31:58 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49735	142.250.185.142	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:02 UTC	1223	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=397232016&timestamp=1727886719816 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:32:02 UTC	1967	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: script-src 'report-sample' 'nonce-lLnopBzmyNOdnAjQckkS_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:32:02 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw0ZBikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIm6Pp9dftbAIvXj2tUtJLyi-Mz0xJzSvJLKlMyc9NzMxLzs_PzkwtLk4tKkstijcyMDIxsDQy0jOwiC8wAADc0y38" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6c 4c 6e 6f 70 42 7a 6d 79 4e 4f 64 6e 41 6a 51 63 6b 6b 53 5f 41 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7620<html><head><script nonce="lLnopBzmyNOdnAjQckkS_A">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c Data Ascii: =/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 Data Ascii: {switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b Data Ascii: ion(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f Data Ascii: G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="functio
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 Data Ascii: th.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);i
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 Data Ascii: ction(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="functi
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 Data Ascii: .isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Ma
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e Data Ascii: sure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=fun
2024-10-02 16:32:02 UTC	1967	IN	Data Raw: 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b Data Ascii: tring":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49737	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:03 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:32:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49738	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:03 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:32:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49742	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:03 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:32:03 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 32 31 30 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886721072",null,null,null
2024-10-02 16:32:04 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=H9pygYi9Vv9HgObJ0MxvBXI17gt9KWMqlFVrmpYLVfvrjo06kLWjRTjWLP3aPbeW5KDuTu6Tko2Z93e1JxigmioaYaRlmTOfR_cQlSrza6cO7OmpOWM4Zbnfr8SBs2KRjV53_Xn4xsGbvPy-e5_sCKmxLtIE12EbAc9AC2rAmxHCB08KJg; expires=Thu, 03-Apr-2025 16:32:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:32:04 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49743	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:04 UTC	1132	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:32:04 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 32 31 31 35 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886721154",null,null,null
2024-10-02 16:32:04 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=TZk4XzcMrSgPZBmyku2qrETY-TNClrmKeW6HwmUFpBwq13m4Dn1uZsXV5AoQYg2ljyDcw9wh7oyEIJ71wxeag3sstc3SKVCg7aKLutfa5j-9mfY7kqi7DcOvmZPxVewNn9D-QOFScLWo1dYU1WylpCXAGFIvl3fdUqxfuu8ETHH1jsAojw; expires=Thu, 03-Apr-2025 16:32:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:04 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:32:04 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:04 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49718	216.58.206.36	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:04 UTC	1221	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=TZk4XzcMrSgPZBmyku2qrETY-TNClrmKeW6HwmUFpBwq13m4Dn1uZsXV5AoQYg2ljyDcw9wh7oyEIJ71wxeag3sstc3SKVCg7aKLutfa5j-9mfY7kqi7DcOvmZPxVewNn9D-QOFScLWo1dYU1WylpCXAGFIvl3fdUqxfuu8ETHH1jsAojw
2024-10-02 16:32:04 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 13:38:50 GMT Expires: Thu, 10 Oct 2024 13:38:50 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 10394 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 16:32:04 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 16:32:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-02 16:32:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 16:32:04 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-02 16:32:04 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49746	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:05 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=W6tKsDOdPEcbgx8&MD=ZTlbRr74 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:32:05 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 6f091a23-4c85-4a6e-b08f-a7e25654673c MS-RequestId: 8272ced2-4339-4893-a585-c73289b5ac9d MS-CV: 06CnyGXsgkqvnUKj.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:32:04 GMT Connection: close Content-Length: 24490
2024-10-02 16:32:05 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 16:32:05 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49757	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:10 UTC	1306	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1218 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=TZk4XzcMrSgPZBmyku2qrETY-TNClrmKeW6HwmUFpBwq13m4Dn1uZsXV5AoQYg2ljyDcw9wh7oyEIJ71wxeag3sstc3SKVCg7aKLutfa5j-9mfY7kqi7DcOvmZPxVewNn9D-QOFScLWo1dYU1WylpCXAGFIvl3fdUqxfuu8ETHH1jsAojw
2024-10-02 16:32:10 UTC	1218	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 31 38 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727886718000",null,null,null,
2024-10-02 16:32:10 UTC	940	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw; expires=Thu, 03-Apr-2025 16:32:10 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:10 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:32:10 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:10 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49758	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:33 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1129 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:32:33 UTC	1129	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 35 32 30 32 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886752027",null,null,null
2024-10-02 16:32:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49759	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:34 UTC	1297	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1030 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:32:34 UTC	1030	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
2024-10-02 16:32:34 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:34 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:34 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49760	172.217.18.14	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:35 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1163 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:32:35 UTC	1163	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 35 33 37 31 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886753716",null,null,null
2024-10-02 16:32:35 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:32:35 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:32:35 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:32:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49761	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:32:43 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=W6tKsDOdPEcbgx8&MD=ZTlbRr74 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:32:43 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: a5a4d9ce-c60f-4e59-b488-76e123562b08 MS-RequestId: 2c0b752c-db20-4798-804a-0d91faef9043 MS-CV: jexBgX9BZkK3wv8E.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:32:42 GMT Connection: close Content-Length: 30005
2024-10-02 16:32:43 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 16:32:43 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49765	216.58.206.46	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:33:05 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1277 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:33:05 UTC	1277	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 38 33 37 31 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886783719",null,null,null
2024-10-02 16:33:05 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:33:05 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:33:05 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:33:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49767	216.58.206.46	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:33:07 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1426 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:33:07 UTC	1426	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 37 38 35 38 34 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886785844",null,null,null
2024-10-02 16:33:08 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:33:07 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:33:08 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:33:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49769	216.58.206.46	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:33:36 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1381 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:33:36 UTC	1381	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 38 31 34 35 36 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886814563",null,null,null
2024-10-02 16:33:36 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:33:36 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:33:36 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:33:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49770	216.58.206.46	443	2296	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:33:40 UTC	1337	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1579 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=rDmRwQhAOOw5vXtS9HfSJXx5ax1fdADwgD1vty-8roRbHIteCJ4MHkgvDt_q3-xXroyIGkw1rmheaUEPEQzkGM0nWWqUAXCAyY92YEsAslfy6i-rR9AzAQdQ1jhQKl3mqaeiHpjiepEHDWw2p_4n5O5ys4ppk7zSkQupMLpIKl3p9aARzhpKZ5FDWw
2024-10-02 16:33:40 UTC	1579	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 36 38 31 37 32 34 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727886817249",null,null,null
2024-10-02 16:33:40 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:33:40 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:33:40 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:33:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:31:46
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x310000
File size:	918'528 bytes
MD5 hash:	BA024037D5FF82BC4506EB3AD4B4BB11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:31:46
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:31:46
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:31:48
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:31:49
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:32:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:32:01
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=2248,i,505704173538351557,9079963475394017649,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.9%
Total number of Nodes:	1655
Total number of Limit Nodes:	55

Executed Functions

Function 003142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0031430D

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

GetCurrentProcess.KERNEL32(?,003ACB64,00000000,?,?), ref: 00314422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00314429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00314454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00314466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00314474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0031447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003144A0

Strings

kernel32.dll, xrefs: 0031444F
|O, xrefs: 003536F8
GetNativeSystemInfo, xrefs: 00314460

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 906d5f2b095c491f57dbf79d0b7fed6b26ce37efee7df7d8093e7bb215938cfd
Instruction ID: c6ba79c61e2e33984fbb78a9b6d027739ccf64eb38cbb82efba9e02c20f621ad
Opcode Fuzzy Hash: 906d5f2b095c491f57dbf79d0b7fed6b26ce37efee7df7d8093e7bb215938cfd
Instruction Fuzzy Hash: D5A1C57DA1A2C0CFC737C76A7CC05D97FAC6B2A741F085A99D4819BAA2D6304948CB31

Function 003142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003150AA,?,?,00000000,00000000), ref: 003142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003150AA,?,?,00000000,00000000), ref: 003142C9
LoadResource.KERNEL32(?,00000000,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20), ref: 003535BE
SizeofResource.KERNEL32(?,00000000,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20), ref: 003535D3
LockResource.KERNEL32(003150AA,?,?,003150AA,?,?,00000000,00000000,?,?,?,?,?,?,00314F20,?), ref: 003535E6

Strings

SCRIPT, xrefs: 003142BF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 99080b14531a26d37785d6c43fe4f044bac945426f7cf37042571076114cfe1b
Instruction ID: 73d79c0caa2697fd87caf03831dc6148bedc20c0f35e9456a9cca82fcb206006
Opcode Fuzzy Hash: 99080b14531a26d37785d6c43fe4f044bac945426f7cf37042571076114cfe1b
Instruction Fuzzy Hash: 24117C70200700BFDB268B65DC48F677BBEEBCAB51F104969F40296260DB71D841C620

Function 00352BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00312B6B

Part of subcall function 00313A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003E1418,?,00312E7F,?,?,?,00000000), ref: 00313A78

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,003D2224), ref: 00352C10
ShellExecuteW.SHELL32(00000000,?,?,003D2224), ref: 00352C17

Strings

runas, xrefs: 00352C0B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 436e19354032560e6be9d4791bd2ad303e48d8789401bc7defe4afae7e2b361e
Instruction ID: ed283aff90894e0409aa245375ba3bf7c41d478130764576040d74a8ae8c5bf5
Opcode Fuzzy Hash: 436e19354032560e6be9d4791bd2ad303e48d8789401bc7defe4afae7e2b361e
Instruction Fuzzy Hash: BF11A2312083455AC71FFF60D861AEE77A89F9E350F44592EF1821A1E2CF319A899752

Function 0039A67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0039A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0039A6BA

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Process32NextW.KERNEL32(00000000,?), ref: 0039A79C
CloseHandle.KERNELBASE(00000000), ref: 0039A7AB

Part of subcall function 0032CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00353303,?), ref: 0032CE8A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 652631a278c1167b4c0b2cb9e883fe14539dc9f89e985f0d770c8e1eb8fcc1dc
Instruction ID: eb22b27bd217ed42fd645cc568705eac9df75a33ddb9f4ed55ac39beb0f72e24
Opcode Fuzzy Hash: 652631a278c1167b4c0b2cb9e883fe14539dc9f89e985f0d770c8e1eb8fcc1dc
Instruction Fuzzy Hash: FD516F71508310AFD715EF24D886A6BBBF8FF89754F00491DF5899B252EB30D944CB92

Function 0037DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00355222), ref: 0037DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0037DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0037DBEE
FindClose.KERNEL32(00000000), ref: 0037DBFA

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f25668f8e4644c930b87a10810dad347558a84acb73387640f8ad19cfc20ca04
Instruction ID: daef4764e015bd921c1da9a71351b02b15062fefac9ec5a0d6c26068fc88153e
Opcode Fuzzy Hash: f25668f8e4644c930b87a10810dad347558a84acb73387640f8ad19cfc20ca04
Instruction Fuzzy Hash: 3DF0A03082091957C2336B78AC0D8AA37BC9E02334F108B02F83AC20E0EBB45D548695

Function 00334CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000,?,003428E9), ref: 00334D09
TerminateProcess.KERNEL32(00000000,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000,?,003428E9), ref: 00334D10
ExitProcess.KERNEL32 ref: 00334D22

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ddd20d7d58ee5b3cb4b14d1ec18e3476171f3818ea2d66c97a5f06befd4b5bcc
Instruction ID: 8831ed4b43d40a2caee4976128845ba365c1b904dc9895cab64df1dfffab6021
Opcode Fuzzy Hash: ddd20d7d58ee5b3cb4b14d1ec18e3476171f3818ea2d66c97a5f06befd4b5bcc
Instruction Fuzzy Hash: 41E0B631010148ABCF53AF54DD49A593B6DEB42781F114014FC059B173CB39ED42CA80

Function 0031BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#>, xrefs: 003607CE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#>
API String ID: 3964851224-3564690312
Opcode ID: 81fd032ee112f72b60dfca5b68497bb8d39e7d9e3bd3b5b2816ce2b494bb5d74
Instruction ID: 1feb04b1e9504c894bdc69a5a76405b66a0bd0bf2063171ddb5bbf8bea13d0e9
Opcode Fuzzy Hash: 81fd032ee112f72b60dfca5b68497bb8d39e7d9e3bd3b5b2816ce2b494bb5d74
Instruction Fuzzy Hash: 37A28C706183408FC71ACF24C481B6BBBE5BF89304F15996DE89A8B356D771EC85CB92

Function 0039AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0039B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039B1D4
_wcslen.LIBCMT ref: 0039B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039B236
_wcslen.LIBCMT ref: 0039B332

Part of subcall function 003805A7: GetStdHandle.KERNEL32(000000F6), ref: 003805C6

_wcslen.LIBCMT ref: 0039B34B
_wcslen.LIBCMT ref: 0039B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039B3B6
GetLastError.KERNEL32(00000000), ref: 0039B407
CloseHandle.KERNEL32(?), ref: 0039B439
CloseHandle.KERNEL32(00000000), ref: 0039B44A
CloseHandle.KERNEL32(00000000), ref: 0039B45C
CloseHandle.KERNEL32(00000000), ref: 0039B46E
CloseHandle.KERNEL32(?), ref: 0039B4E3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2920d1759488101ba6b51cd607993e397942b56f682f11f137320b5282d847cc
Instruction ID: 08f0260fddbeca971b4005e54d6ac8843d75a2ddd048c0eba843af234953ffa0
Opcode Fuzzy Hash: 2920d1759488101ba6b51cd607993e397942b56f682f11f137320b5282d847cc
Instruction Fuzzy Hash: CEF1AE316043009FCB16EF24D981B6EBBE5AF89710F19885DF8858F2A2DB30EC44CB52

Function 0031D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0031D807
timeGetTime.WINMM ref: 0031DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB28
TranslateMessage.USER32(?), ref: 0031DB7B
DispatchMessageW.USER32(?), ref: 0031DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB9F
Sleep.KERNELBASE(0000000A), ref: 0031DBB1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ad90cda0c1f7d896cc675af0df8acf763fd98bac8f652144b1512e94c531eca1
Instruction ID: 21cbf58ca006cef570cb6a513876404d2c5824db083314901342a8d1d28fa6cc
Opcode Fuzzy Hash: ad90cda0c1f7d896cc675af0df8acf763fd98bac8f652144b1512e94c531eca1
Instruction Fuzzy Hash: 4C42C370608741DFD72BCF24C884BAAB7E4BF4B314F16865DE4968B291D774E884CB92

Function 00312CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00312D07
RegisterClassExW.USER32(00000030), ref: 00312D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00312D42
InitCommonControlsEx.COMCTL32(?), ref: 00312D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00312D6F
LoadIconW.USER32(000000A9), ref: 00312D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00312D94

Strings

0, xrefs: 00312CE9
+, xrefs: 00312CF0
AutoIt v3 GUI, xrefs: 00312D23
TaskbarCreated, xrefs: 00312D37

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a5c1d97d00e8479625b026a0ad15f56dd5c8755cd363001f338fd0e5b95f9d51
Instruction ID: 1272cc75d5b1acb480b1866f43607d9a20b25155485c2174fc24e1deda472f19
Opcode Fuzzy Hash: a5c1d97d00e8479625b026a0ad15f56dd5c8755cd363001f338fd0e5b95f9d51
Instruction Fuzzy Hash: 7021C4B5921358EFDB12DFA4EC89BDDBBB8FB09700F00921AF511AA2A0D7B54544CF91

Function 0035065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0035039A: CreateFileW.KERNELBASE(00000000,00000000,?,00350704,?,?,00000000,?,00350704,00000000,0000000C), ref: 003503B7

GetLastError.KERNEL32 ref: 0035076F
__dosmaperr.LIBCMT ref: 00350776
GetFileType.KERNELBASE(00000000), ref: 00350782
GetLastError.KERNEL32 ref: 0035078C
__dosmaperr.LIBCMT ref: 00350795
CloseHandle.KERNEL32(00000000), ref: 003507B5
CloseHandle.KERNEL32(?), ref: 003508FF
GetLastError.KERNEL32 ref: 00350931
__dosmaperr.LIBCMT ref: 00350938

Strings

H, xrefs: 003508BD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0ab06a5918fa5ca4acea8155e89ac21abdf2fe924afd194d9f395c8fbb90a71b
Instruction ID: 4a17ff8b930c2936f1356589c4a53016366fb31616257d9b0430a6163d9c1f09
Opcode Fuzzy Hash: 0ab06a5918fa5ca4acea8155e89ac21abdf2fe924afd194d9f395c8fbb90a71b
Instruction Fuzzy Hash: 9DA12536A001448FDF2EAF68D891BAE7BA4EB06321F140159FC11DF2E1DB369817CB91

Function 0031344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00313A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003E1418,?,00312E7F,?,?,?,00000000), ref: 00313A78

Part of subcall function 00313357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00313379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0031356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0035318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003531CE
RegCloseKey.ADVAPI32(?), ref: 00353210
_wcslen.LIBCMT ref: 00353277
_wcslen.LIBCMT ref: 00353286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00313560
Include, xrefs: 00353184, 003531C5
\, xrefs: 0035328C
\Include\, xrefs: 00313527

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 78813244278a00cb26f3ad87e6cccaad294894904f7b957aad4d9f0e80954878
Instruction ID: 8f94f5f4ada3011fa1ef426d1fabc8ce4f3b2fff2c0e7fc939d988b2199e98c6
Opcode Fuzzy Hash: 78813244278a00cb26f3ad87e6cccaad294894904f7b957aad4d9f0e80954878
Instruction Fuzzy Hash: 81716F755043409EC31ADF65DC829ABBBECFF89740F40092EF5459B2A0DB749A88CF61

Function 00312B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00312B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00312B9D
LoadIconW.USER32(00000063), ref: 00312BB3
LoadIconW.USER32(000000A4), ref: 00312BC5
LoadIconW.USER32(000000A2), ref: 00312BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00312BEF
RegisterClassExW.USER32(?), ref: 00312C40

Part of subcall function 00312CD4: GetSysColorBrush.USER32(0000000F), ref: 00312D07
Part of subcall function 00312CD4: RegisterClassExW.USER32(00000030), ref: 00312D31
Part of subcall function 00312CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00312D42
Part of subcall function 00312CD4: InitCommonControlsEx.COMCTL32(?), ref: 00312D5F
Part of subcall function 00312CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00312D6F
Part of subcall function 00312CD4: LoadIconW.USER32(000000A9), ref: 00312D85
Part of subcall function 00312CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00312D94

Strings

AutoIt v3, xrefs: 00312C2F
0, xrefs: 00312C0F
#, xrefs: 00312C16

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ba625ce71f3b3498dfc251e3b0f63f444f5d3cfd49b93020e1f1c831a93f4f4
Instruction ID: 602e9904588bf21f118446498aa1fe43e0abd3a340e6704ba6dc3ad7c17d7527
Opcode Fuzzy Hash: 1ba625ce71f3b3498dfc251e3b0f63f444f5d3cfd49b93020e1f1c831a93f4f4
Instruction Fuzzy Hash: 0D212F78E10354AFDB229F95EC95A9D7FB8FB49B50F00011AF500AA7A0D7B11540CF90

Function 0031B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031BB4E

Strings

x#>, xrefs: 00360168
x#>, xrefs: 00360207
p#>, xrefs: 0031BB6B
p%>, xrefs: 0031BB32
p%>, xrefs: 0031B8DC
p#>, xrefs: 0036024F
p#>, xrefs: 00360263
p#>, xrefs: 0031BA72

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#>$p#>$p#>$p#>$p%>$p%>$x#>$x#>
API String ID: 1385522511-3338821207
Opcode ID: 3a8339d5fb04bdc58a970bde6bd94ad9e84fab752620169a308d9265b46264fa
Instruction ID: 8278f35e74f515f51e3297d5a2794faefc8ff8eb8897c82e275f1b7f71d6a8d0
Opcode Fuzzy Hash: 3a8339d5fb04bdc58a970bde6bd94ad9e84fab752620169a308d9265b46264fa
Instruction Fuzzy Hash: 4932DD38A00249DFCB2ACF54C895AFEB7B9EF49300F258059E915AB791C774ED81CB91

Function 00313170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0031316A,?,?), ref: 003131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0031316A,?,?), ref: 00313204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00313227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0031316A,?,?), ref: 00313232
CreatePopupMenu.USER32 ref: 00313246
PostQuitMessage.USER32(00000000), ref: 00313267

Strings

TaskbarCreated, xrefs: 0031322D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 01d655ef956f5abba8ffc3d59f934cdc2fdc5f75be7f7b8eaad67de2cc85d11a
Instruction ID: 2cc2049096510b5d12b2c6a577332674723965bb661d99737d68ac3206ab9622
Opcode Fuzzy Hash: 01d655ef956f5abba8ffc3d59f934cdc2fdc5f75be7f7b8eaad67de2cc85d11a
Instruction Fuzzy Hash: 7941F535250244AADB2F7B68DD4EBFA366DE70E340F050225F9128A6E1CB71DAC197A1

Function 00311410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00311459
CoUninitialize.COMBASE ref: 003114F8
UnregisterHotKey.USER32(?), ref: 003116DD
DestroyWindow.USER32(?), ref: 003524B9
FreeLibrary.KERNEL32(?), ref: 0035251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0035254B

Strings

close all, xrefs: 00311454

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a44486e56aa293f0f56e52eec97d5b6d05589ac80aaf5f49cc8bbaf9fe30bfdf
Instruction ID: c6bdea4ffa60e80a42726deb2ead0447d65780ce8311b0321a6102293d7a14f8
Opcode Fuzzy Hash: a44486e56aa293f0f56e52eec97d5b6d05589ac80aaf5f49cc8bbaf9fe30bfdf
Instruction Fuzzy Hash: 8CD19B317012228FCB1BEF15C895EAAF7A4BF0A701F1545ADE94A6B261DB30AC56CF50

Function 00312C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00312C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00312CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00311CAD,?), ref: 00312CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00311CAD,?), ref: 00312CCF

Strings

AutoIt v3, xrefs: 00312C89, 00312C8E, 00312C8F
edit, xrefs: 00312CAC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a4e1eea4b20c34ffe745b235e43b9665e0cd289e211b6a0a99677570c49c9f7a
Instruction ID: 2eec42414eccb50c4fc387f0ddcb303cb1fefcebc911b6554c5749ceb47a96f5
Opcode Fuzzy Hash: a4e1eea4b20c34ffe745b235e43b9665e0cd289e211b6a0a99677570c49c9f7a
Instruction Fuzzy Hash: 3DF0B7795502D07EEB321717AC88EB72EBDD7C7F50F00115EF900AA5E0C6B11851DAB0

Function 0037E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0037E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0037E9A5
Sleep.KERNEL32(00000000), ref: 0037E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0037E9B7
Sleep.KERNELBASE ref: 0037E9F3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1ff5819c633cdddd75b04a16db5e9f51ab7733e596e2766b5e8a2235ce6c8f68
Instruction ID: de659ed7ab52248c4156aff6a3149410e6c6f0fda1395336e89424348697ad00
Opcode Fuzzy Hash: 1ff5819c633cdddd75b04a16db5e9f51ab7733e596e2766b5e8a2235ce6c8f68
Instruction Fuzzy Hash: 12015B32D11529DBCF129BE4D849ADDBB78BF0E301F014586E606B2241CB389555CB61

Function 00313B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00313B0F,SwapMouseButtons,00000004,?), ref: 00313B83

Strings

Control Panel\Mouse, xrefs: 00313B3E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ccbc20e89a9f2e4c3499913e183c44e846a8dd9dfdc5c8a3cfdb97159c62bf9e
Instruction ID: 1edd6c82ddb94993779e3ef024eaca4ff19cdbc6a3b39dc2f310df38ccd4a73d
Opcode Fuzzy Hash: ccbc20e89a9f2e4c3499913e183c44e846a8dd9dfdc5c8a3cfdb97159c62bf9e
Instruction Fuzzy Hash: 7B112AB5524208FFDB26CFA5DC44AEFB7BCEF09744B118459A805D7110E231DE809760

Function 00313923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003533A2

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00313A04

Strings

Line: , xrefs: 003533EB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 05715f8f19c322d38f5e4530a6eb9cac2ef299370ed27458d02300ebeddd848b
Instruction ID: a357fdd3ea85f6535952af025f8b8a23b1c6f3936618e39d3c58788b3e9f68ef
Opcode Fuzzy Hash: 05715f8f19c322d38f5e4530a6eb9cac2ef299370ed27458d02300ebeddd848b
Instruction Fuzzy Hash: 7231A371508344AAC72BEB60DC46FEBB7ECAF48710F004A2AF599971D1DB709689C7C2

Function 00312DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00352C8C

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 00312DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00312DC4

Strings

`e=, xrefs: 00352C85
X, xrefs: 00352C5A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e=
API String ID: 779396738-3911472045
Opcode ID: 860dd81f200cb989a56047dfae68fed08623ad56cbc1dd2d6edb0307e211416f
Instruction ID: b617769f40872b5a7e6b5b3f0e2252e48eca88215e3be17ff1cd1f4650634ec4
Opcode Fuzzy Hash: 860dd81f200cb989a56047dfae68fed08623ad56cbc1dd2d6edb0307e211416f
Instruction Fuzzy Hash: AA21D571A002989FCB47DF94D846BEE7BFCAF49304F00805AE405AB241DBB49A898F61

Function 0032FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00330668

Part of subcall function 003332A4: RaiseException.KERNEL32(?,?,?,0033068A,?,003E1444,?,?,?,?,?,?,0033068A,00311129,003D8738,00311129), ref: 00333304

__CxxThrowException@8.LIBVCRUNTIME ref: 00330685

Strings

Unknown exception, xrefs: 00330692

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 055711145115b33afd18ee3d7a48fc28ef7e06336205b20c1c129f896e44049a
Instruction ID: 77a65cad5a4aba5a36e7711cb3304b5aa7cab614cb3c42ee0ef80f61ab5d549f
Opcode Fuzzy Hash: 055711145115b33afd18ee3d7a48fc28ef7e06336205b20c1c129f896e44049a
Instruction Fuzzy Hash: AAF0C23490020DBBCB07B7A4E8D6C9E777C9E00310F608531F924DA599EF71EA65C6C0

Function 003110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00311BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00311BF4
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00311BFC
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00311C07
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00311C12
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00311C1A
Part of subcall function 00311BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00311C22

Part of subcall function 00311B4A: RegisterWindowMessageW.USER32(00000004,?,003112C4), ref: 00311BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0031136A
OleInitialize.OLE32 ref: 00311388
CloseHandle.KERNEL32(00000000,00000000), ref: 003524AB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: aca697bd0c1188498028055af95c869c0e30e262238f482502e0e5d7c28bc6ba
Instruction ID: 5fd1f814937faddf9e90b7a6d05e044e7bed8158b7e341d0094ad6889643b9f3
Opcode Fuzzy Hash: aca697bd0c1188498028055af95c869c0e30e262238f482502e0e5d7c28bc6ba
Instruction Fuzzy Hash: 0A71A2B99113D48EC7A7DF7AA9856993AE8FB8A340B54532ED40ACF3E1E7304485CF41

Function 0037C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00313923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00313A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0037C259
KillTimer.USER32(?,00000001,?,?), ref: 0037C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0037C270

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: d22cdf499afc44bdd68e42918c3682579b31faeba51ef4e05bc614afab2a05a3
Instruction ID: a580aa0648b78adba68f07b5c74f45bbc4c66b987d4eaf8dcbc85bfd3010b19c
Opcode Fuzzy Hash: d22cdf499afc44bdd68e42918c3682579b31faeba51ef4e05bc614afab2a05a3
Instruction Fuzzy Hash: 8231B170914344AFEF338B649895BE7BBEC9B06304F00549ED29EA7242C7785A84CB51

Function 003486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003485CC,?,003D8CC8,0000000C), ref: 00348704
GetLastError.KERNEL32(?,003485CC,?,003D8CC8,0000000C), ref: 0034870E
__dosmaperr.LIBCMT ref: 00348739

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cbd3735c11fc0b36e6b789e04fa37eeafc77de3e152f623f2708d9d23e483344
Instruction ID: e0be4fd736fb36d68b44618592d6eb68f69a1bcd9febcfb4be2c2ce00a1bcff7
Opcode Fuzzy Hash: cbd3735c11fc0b36e6b789e04fa37eeafc77de3e152f623f2708d9d23e483344
Instruction Fuzzy Hash: 70012B37A0566027D6A767346885B7E6BCD4B82778F3B0219FA149F1D3DEA8BC818150

Function 0031DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0031DB7B
DispatchMessageW.USER32(?), ref: 0031DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031DB9F
Sleep.KERNELBASE(0000000A), ref: 0031DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00361CC9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 8caed273cce8d7808af7e56188664abafa484eb34443cbff03f7a12323ad1e0f
Instruction ID: 753bb5248caaad57d5f05b144454b346cc03a50a8d4a6ecec1e8e100353244c7
Opcode Fuzzy Hash: 8caed273cce8d7808af7e56188664abafa484eb34443cbff03f7a12323ad1e0f
Instruction Fuzzy Hash: BAF05E316443849BE736CB608C89FEA73ACEB8A310F108618E65A870C0DB30A4888B25

Function 00321310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003217F6

Strings

CALL, xrefs: 003217C6

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 82df507c6a71170eaad2bc00982a63840579f49a4218ca3a4819de49b7a9087d
Instruction ID: 8b9992b043103d466b535b5ed8f9ba06046278c58ffb0af51b5621298ed9c0da
Opcode Fuzzy Hash: 82df507c6a71170eaad2bc00982a63840579f49a4218ca3a4819de49b7a9087d
Instruction Fuzzy Hash: E022BC706083519FC716DF14D581B2ABBF5BF9A344F25896DF8868B3A1D731E841CB82

Function 00313837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00313908

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9bdaf6e1d0844651fafe40f14624b98cff45c3929f217fa4e27dd8828cfa58c7
Instruction ID: fc4010cb79048f74e5cefe2fd19a2c167660e1c92a74b5107faa3ae4fec41006
Opcode Fuzzy Hash: 9bdaf6e1d0844651fafe40f14624b98cff45c3929f217fa4e27dd8828cfa58c7
Instruction Fuzzy Hash: FB3191745043019FD722DF24D8847D7BBE8FB4D708F00092EF99997290E771AA88CB52

Function 0032F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0032F661

Part of subcall function 0031D730: GetInputState.USER32 ref: 0031D807

Sleep.KERNEL32(00000000), ref: 0036F2DE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 49137a70659322659284232ba2628fa429f52579489589c254e32b349f642a6b
Instruction ID: c8fe1c44dcf5f0ad7a9c14dd8466c48a503e78ef287230e36532188f2b60c560
Opcode Fuzzy Hash: 49137a70659322659284232ba2628fa429f52579489589c254e32b349f642a6b
Instruction Fuzzy Hash: 61F08C312402159FD315EF69E449BAAF7E9EF4A760F004029E859CB2A0EB70A840CF90

Function 003A13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 003A1420

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 4247128bbc1315aa07fc2d4c1a8e9d2eb897f99b6cafb45bbe1b16e75c3bcc61
Instruction ID: 170a07b1c760322fb652fb6dfa64c5b792f037a292d3bbb8e8e43a35fe1c8d8f
Opcode Fuzzy Hash: 4247128bbc1315aa07fc2d4c1a8e9d2eb897f99b6cafb45bbe1b16e75c3bcc61
Instruction Fuzzy Hash: 1E31B130204602AFD716EF2AC495B69F7A6FF4A324F048168E8594F392DB35EC41CBD0

Function 00314ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00314E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E9C
Part of subcall function 00314E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00314EAE
Part of subcall function 00314E90: FreeLibrary.KERNEL32(00000000,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EFD

Part of subcall function 00314E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E62
Part of subcall function 00314E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00314E74
Part of subcall function 00314E59: FreeLibrary.KERNEL32(00000000,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E87

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3b74a88d7e21788352d87f9764f49a0f3051d197a150dd1a33e0de1352001571
Instruction ID: f2e6ff4a277f2bd29b90b653d39820cca007631bdc8c6837eb0528d69e1b713a
Opcode Fuzzy Hash: 3b74a88d7e21788352d87f9764f49a0f3051d197a150dd1a33e0de1352001571
Instruction Fuzzy Hash: 4A11E332610205ABDF1BBB60DC02FED77A5AF88B11F10842DF542AE2D1EE71DA85D760

Function 00348402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00348440

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 19bf10479ce688856d108e910c6070329f32567c34cc240a1ddf2307f33b403d
Instruction ID: 0f4831ef40ab1c2816c4a5b724a289655fc6cf67126509f084e9bf7e545dd9c2
Opcode Fuzzy Hash: 19bf10479ce688856d108e910c6070329f32567c34cc240a1ddf2307f33b403d
Instruction Fuzzy Hash: AC11487590410AAFCB06DF58E94099E7BF8EF48300F114059FC08AB312DB31EA11CBA4

Function 00345000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00344C7D: RtlAllocateHeap.NTDLL(00000008,00311129,00000000,?,00342E29,00000001,00000364,?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?), ref: 00344CBE

_free.LIBCMT ref: 0034506C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: dbcd664dd2cd4fc1c1aa497f46fa48587c7918ce5265f9178271c1cc5ade7514
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B70126766047056BE3228E659881A9AFBEDFB89370F65052DE1849B281EA30B805C6B4

Function 003A29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,003A14B5,?), ref: 003A2A01

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3df7ff5fe8e1394573f747cce8eeb577cb1fe52de48567c7a7a342b0271dc5f3
Instruction ID: e58f613d1c8803a6697bc31c37da1bad855e77f2570450bbe8fc3778cf0fec9e
Opcode Fuzzy Hash: 3df7ff5fe8e1394573f747cce8eeb577cb1fe52de48567c7a7a342b0271dc5f3
Instruction Fuzzy Hash: FA01B136300A419FD32ACB2CC454F233792EB8A314F2A8468C0478B251DB32EC52C7A0

Function 0033E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 8ba8d1e4b3a1bcb1ae19ddeac83ffbdb56b5f6f6e1b946e78bf64a3685a2b836
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 7EF02832510A14ABD7333A6A9C46B5B37DC9F52335F110729F8209F1D2CB74E80186A5

Function 00344C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00311129,00000000,?,00342E29,00000001,00000364,?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?), ref: 00344CBE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c42ca4bef5fc55bbe1b4efe7d62a539e8c5662a2696fd5aa1f8f5d8cd930861
Instruction ID: 9209766b8b93b41e1ccfa03a8e7cd54a6d02cf36fa044bed1bbf2e9a053002cd
Opcode Fuzzy Hash: 0c42ca4bef5fc55bbe1b4efe7d62a539e8c5662a2696fd5aa1f8f5d8cd930861
Instruction Fuzzy Hash: 63F0543164622476DB235F62AC85B5A37CDAF41BA1F1E8135B815AE591CA70FC0147A0

Function 00343820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e9fe663483d1e4c162e644b99d6df387e3b11f72a5eb18df976ce23ad8f97aeb
Instruction ID: 351120eb20f3bd87ef577e083463a7c0d00f5b3da1e7958b51b8d4c765a8717a
Opcode Fuzzy Hash: e9fe663483d1e4c162e644b99d6df387e3b11f72a5eb18df976ce23ad8f97aeb
Instruction Fuzzy Hash: CAE0653550122496D63327679C05B9BB6CDAF427B0F160121BC559F991DB21FD0586E1

Function 00314F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314F6D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 894dd829cba8c03c74fd1b820e1ac57898aaffcdb37f613f5e58b481734535f8
Instruction ID: 6fb070b6e51330b425344711221fdc20b45e44b6b4343cb228f32b0dace8c034
Opcode Fuzzy Hash: 894dd829cba8c03c74fd1b820e1ac57898aaffcdb37f613f5e58b481734535f8
Instruction Fuzzy Hash: 22F03071105751CFDB3A9F64D490892B7E4EF19319315897EE1DA86611C7319885DF10

Function 003A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003A2A66

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 153207283115bba6a80ef522023b0c915de4eb67a402c20af8d6c590ddc4ef50
Instruction ID: 6976e323405d36989cefc212e063c0ed1464658da5638ac48a42157a63558a95
Opcode Fuzzy Hash: 153207283115bba6a80ef522023b0c915de4eb67a402c20af8d6c590ddc4ef50
Instruction Fuzzy Hash: A8E04F36350116AEC766EA34DC809FB735CEB52395B10453AAC2AD6110DF34999596A0

Function 003130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0031314E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: eb38dd7b449a58a43a526b1d25c486dd15b9ac6f2f8fade6c058b8812f690bb7
Instruction ID: bc2bde73f6dd8b92eb9f92d372f0b01a9facff0b99a0575b614a872b47235f73
Opcode Fuzzy Hash: eb38dd7b449a58a43a526b1d25c486dd15b9ac6f2f8fade6c058b8812f690bb7
Instruction Fuzzy Hash: 48F037749143589FE763DB24DC857D67BBCAB05708F0001E5A5489A2D1D77457C8CF51

Function 00312DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00312DC4

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ebe6831eaddd0f1e18c0399d6363dabba11e7322870fcb10f69988ffc1b4dcfe
Instruction ID: 34deaf7a8725202208110cec9d2276bea6ff668bb166ffa5daa84eb9b5a7c6e9
Opcode Fuzzy Hash: ebe6831eaddd0f1e18c0399d6363dabba11e7322870fcb10f69988ffc1b4dcfe
Instruction Fuzzy Hash: DBE0C272A042245BCB22A298DC06FEA77EDDFC8790F0541B1FD09EB258DA60AD848690

Function 00312B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00313837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00313908

Part of subcall function 0031D730: GetInputState.USER32 ref: 0031D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00312B6B

Part of subcall function 003130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0031314E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1698cf2aeaf93dd21cc75199e90d29a24f71f52e6ce57c649c17f4f7211cb53d
Instruction ID: 21286ab4aa687397e041a3e84b6ce3d56f3ecb82b189c39b594a993a9284f137
Opcode Fuzzy Hash: 1698cf2aeaf93dd21cc75199e90d29a24f71f52e6ce57c649c17f4f7211cb53d
Instruction Fuzzy Hash: F7E0863130425407CA0FBB75A8525EDA7AD9BDE351F40153EF1464F2E2CE6489C94752

Function 0035039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00350704,?,?,00000000,?,00350704,00000000,0000000C), ref: 003503B7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 74e0d8a72b5e9a70dbcaa5258524fca9043de3f941a05803678c0bc1d80de76a
Instruction ID: d88ef2e995bba25b395e069165189c521f75d1af93b218291925251cd9e6223f
Opcode Fuzzy Hash: 74e0d8a72b5e9a70dbcaa5258524fca9043de3f941a05803678c0bc1d80de76a
Instruction Fuzzy Hash: A0D06C3215010DBBDF028F84DD06EDA3BAAFB48714F014100BE1856020C736E821AB90

Function 00311CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00311CBC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ebced630b5887844a135a7d9014c2bbe55e82fc83199d4d4f5669c7ac11b2abd
Instruction ID: 64dd5097b981e8736f40d9e888522ab66b0e798b12ff1be4fefa36a3e6fe36f9
Opcode Fuzzy Hash: ebced630b5887844a135a7d9014c2bbe55e82fc83199d4d4f5669c7ac11b2abd
Instruction Fuzzy Hash: 6BC09B352803449FF6274781BD8AF11775CA349B00F444101F6095D5E3C7B11810D750

Non-executed Functions

Function 003A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003A96C9
SendMessageW.USER32 ref: 003A96F2
GetKeyState.USER32(00000011), ref: 003A978B
GetKeyState.USER32(00000009), ref: 003A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003A97AE
GetKeyState.USER32(00000010), ref: 003A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003A97E9
SendMessageW.USER32 ref: 003A9810
SendMessageW.USER32(?,00001030,?,003A7E95), ref: 003A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003A9941
SetCapture.USER32(?), ref: 003A994A
ClientToScreen.USER32(?,?), ref: 003A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003A99D6
ReleaseCapture.USER32 ref: 003A99E1
GetCursorPos.USER32(?), ref: 003A9A19
ScreenToClient.USER32(?,?), ref: 003A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 003A9A80
SendMessageW.USER32 ref: 003A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 003A9AEB
SendMessageW.USER32 ref: 003A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003A9B4A
GetCursorPos.USER32(?), ref: 003A9B68
ScreenToClient.USER32(?,?), ref: 003A9B75
GetParent.USER32(?), ref: 003A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 003A9BFA
SendMessageW.USER32 ref: 003A9C2B
ClientToScreen.USER32(?,?), ref: 003A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 003A9CDE
SendMessageW.USER32 ref: 003A9D01
ClientToScreen.USER32(?,?), ref: 003A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003A9D82

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

GetWindowLongW.USER32(?,000000F0), ref: 003A9E05

Strings

@GUI_DRAGID, xrefs: 003A997D
F, xrefs: 003A9D07
p#>, xrefs: 003A9990

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#>
API String ID: 3429851547-711497766
Opcode ID: 22d013be6236ee261611c18fe2ba65ab24e4b383cf310ed6d290dc935cace846
Instruction ID: b2f139c91623a58083fd96ac3d675a78990d6f444c8f27d4a69d706557db2287
Opcode Fuzzy Hash: 22d013be6236ee261611c18fe2ba65ab24e4b383cf310ed6d290dc935cace846
Instruction Fuzzy Hash: 7C425F34604241AFD726CF24CC84FAABBE9FF4A324F15461AF595AB2B1D731D850CB91

Function 003A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003A4A7E
IsMenu.USER32(?), ref: 003A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A4B20
GetWindowLongW.USER32(?,000000F0), ref: 003A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003A4C82
wsprintfW.USER32 ref: 003A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 003A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 003A4D5A

Strings

%d/%02d/%02d, xrefs: 003A4CA8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 09d14f0ab3d95a34bbb5bbd273a8cda89fe889e10c631f46fbde45a766e048d9
Instruction ID: 77a5f43af5411ed0a89e5621926645f0faab49aadeebaa622649c351c1a6f5ea
Opcode Fuzzy Hash: 09d14f0ab3d95a34bbb5bbd273a8cda89fe889e10c631f46fbde45a766e048d9
Instruction Fuzzy Hash: 8712E171600254AFEB268F24DC49FAEBBF8EF86710F144129F516EB2E1DBB49941CB50

Function 0032F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0032F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0036F474
IsIconic.USER32(00000000), ref: 0036F47D
ShowWindow.USER32(00000000,00000009), ref: 0036F48A
SetForegroundWindow.USER32(00000000), ref: 0036F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0036F4AA
GetCurrentThreadId.KERNEL32 ref: 0036F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0036F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0036F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0036F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0036F4DE
SetForegroundWindow.USER32(00000000), ref: 0036F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F4F6
keybd_event.USER32(00000012,00000000), ref: 0036F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F50B
keybd_event.USER32(00000012,00000000), ref: 0036F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F519
keybd_event.USER32(00000012,00000000), ref: 0036F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036F528
keybd_event.USER32(00000012,00000000), ref: 0036F52D
SetForegroundWindow.USER32(00000000), ref: 0036F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0036F557

Strings

Shell_TrayWnd, xrefs: 0036F46F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c4c7e8856dc1954740b3a1471ab06b56d94b062991301d7e961ac8bd3a29842a
Instruction ID: 7773cd368e494e0b29824ac02857aeb009f67a2112360ed932035b92fba3b026
Opcode Fuzzy Hash: c4c7e8856dc1954740b3a1471ab06b56d94b062991301d7e961ac8bd3a29842a
Instruction Fuzzy Hash: E131A471A50218BFEB226BB65C4AFBF7E6CEB46B50F115025FA01E61D1CBB15D00AA60

Function 00371201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
Part of subcall function 003716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
Part of subcall function 003716C3: GetLastError.KERNEL32 ref: 0037174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00371286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003712A8
CloseHandle.KERNEL32(?), ref: 003712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003712D1
GetProcessWindowStation.USER32 ref: 003712EA
SetProcessWindowStation.USER32(00000000), ref: 003712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00371310

Part of subcall function 003710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003711FC), ref: 003710D4
Part of subcall function 003710BF: CloseHandle.KERNEL32(?,?,003711FC), ref: 003710E9

Strings

winsta0, xrefs: 003712CC
, xrefs: 0037125A
Z=, xrefs: 00371392
default, xrefs: 0037130B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z=
API String ID: 22674027-2879544205
Opcode ID: f7cc4f2f7dcb52bcf575712282992097a67d317d534a97a428b0deb303d7f98a
Instruction ID: 4a5a86244ede5187278bff28c9194f8fd98a7d588125e809557bd0b9fc9d04b3
Opcode Fuzzy Hash: f7cc4f2f7dcb52bcf575712282992097a67d317d534a97a428b0deb303d7f98a
Instruction Fuzzy Hash: FC81A172900209AFDF22DFA9DC49FEE7BBDEF05704F148129F914A61A0D7798944DB60

Function 00370B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
Part of subcall function 003710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
Part of subcall function 003710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
Part of subcall function 003710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00370BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00370C00
GetLengthSid.ADVAPI32(?), ref: 00370C17
GetAce.ADVAPI32(?,00000000,?), ref: 00370C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00370C6D
GetLengthSid.ADVAPI32(?), ref: 00370C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00370C8C
HeapAlloc.KERNEL32(00000000), ref: 00370C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00370CB4
CopySid.ADVAPI32(00000000), ref: 00370CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00370CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00370D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00370D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D45
HeapFree.KERNEL32(00000000), ref: 00370D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D55
HeapFree.KERNEL32(00000000), ref: 00370D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370D65
HeapFree.KERNEL32(00000000), ref: 00370D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00370D78
HeapFree.KERNEL32(00000000), ref: 00370D7F

Part of subcall function 00371193: GetProcessHeap.KERNEL32(00000008,00370BB1,?,00000000,?,00370BB1,?), ref: 003711A1
Part of subcall function 00371193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00370BB1,?), ref: 003711A8
Part of subcall function 00371193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00370BB1,?), ref: 003711B7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5ce94c9cb30c1197b271ae789eb1d0f075c6f14ed34f9856ba96cb655c808109
Instruction ID: 9e1ddb5f67ecb6cc29c7023da34a81a7f85ba288f3ba578535274e076a1a96bc
Opcode Fuzzy Hash: 5ce94c9cb30c1197b271ae789eb1d0f075c6f14ed34f9856ba96cb655c808109
Instruction Fuzzy Hash: 8D715C72A0020AEBDF26DFA4DC44BAEBBBCBF09310F058515E919A6291D775A905CB60

Function 0038EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(003ACC08), ref: 0038EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0038EB37
GetClipboardData.USER32(0000000D), ref: 0038EB43
CloseClipboard.USER32 ref: 0038EB4F
GlobalLock.KERNEL32(00000000), ref: 0038EB87
CloseClipboard.USER32 ref: 0038EB91
GlobalUnlock.KERNEL32(00000000), ref: 0038EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0038EBC9
GetClipboardData.USER32(00000001), ref: 0038EBD1
GlobalLock.KERNEL32(00000000), ref: 0038EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0038EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0038EC38
GetClipboardData.USER32(0000000F), ref: 0038EC44
GlobalLock.KERNEL32(00000000), ref: 0038EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0038EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0038EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0038ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0038ECF3
CountClipboardFormats.USER32 ref: 0038ED14
CloseClipboard.USER32 ref: 0038ED59

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 939e619f5e7bf3e4b29c2bffd4dba7232fb4308ba8bb10e5c5be6b8c11eee56a
Instruction ID: 7a5e4452dd4023603d72609e8587581f2a2000de802a45aa5f968b4489f08b75
Opcode Fuzzy Hash: 939e619f5e7bf3e4b29c2bffd4dba7232fb4308ba8bb10e5c5be6b8c11eee56a
Instruction Fuzzy Hash: 4761F1352083019FD307EF20C895F6ABBE8AF89714F08559DF4569B2A2DB30DD49CB62

Function 0038698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003869BE
FindClose.KERNEL32(00000000), ref: 00386A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00386A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00386A75

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00386AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00386ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00386B6A
%03d, xrefs: 00386DA2
%4d, xrefs: 00386BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00386B32
%02d, xrefs: 00386C00, 00386C0A, 00386C5A, 00386CAA, 00386CFA, 00386D4A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: bd91481ef0b06fb8625e4fcd130ca712406920a448ac7a55c51409d7584288d6
Instruction ID: e08464277b825427d6258829dd51d40c8cb62f3f1f5430e30e1aca07d38c85b5
Opcode Fuzzy Hash: bd91481ef0b06fb8625e4fcd130ca712406920a448ac7a55c51409d7584288d6
Instruction Fuzzy Hash: 1ED15272508300AFC715EBA4D896EABB7FCAF88704F04495EF585CB191EB74DA44CB62

Function 00389642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00389663
GetFileAttributesW.KERNEL32(?), ref: 003896A1
SetFileAttributesW.KERNEL32(?,?), ref: 003896BB
FindNextFileW.KERNEL32(00000000,?), ref: 003896D3
FindClose.KERNEL32(00000000), ref: 003896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0038974A
SetCurrentDirectoryW.KERNEL32(003D6B7C), ref: 00389768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00389772
FindClose.KERNEL32(00000000), ref: 0038977F
FindClose.KERNEL32(00000000), ref: 0038978F

Strings

*.*, xrefs: 003896F5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 50780127bd7e6b49cc39d17c7d423c494a21eba4d46e5337d9cd74bdddffa065
Instruction ID: 87c82c4a207df1e88a701fed5e8fa70433bf6bc3639e32520e41211e9db6737b
Opcode Fuzzy Hash: 50780127bd7e6b49cc39d17c7d423c494a21eba4d46e5337d9cd74bdddffa065
Instruction Fuzzy Hash: 9531C0325003196ADF12AFB4EC49BEE77ACAF4A320F184597F815E21A0EB34DE408B54

Function 0038979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00389819
FindClose.KERNEL32(00000000), ref: 00389824
FindFirstFileW.KERNEL32(*.*,?), ref: 00389840
SetCurrentDirectoryW.KERNEL32(?), ref: 00389890
SetCurrentDirectoryW.KERNEL32(003D6B7C), ref: 003898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003898B8
FindClose.KERNEL32(00000000), ref: 003898C5
FindClose.KERNEL32(00000000), ref: 003898D5

Part of subcall function 0037DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0037DB00

Strings

*.*, xrefs: 0038983B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: e314cb20d225eeaf8f78cd2b3e2f50654003aad5d63f44458aeb5d35751ecb6a
Instruction ID: 085cd9e5716d40fbe56ef742a8a1fcc2e7abbe9a5f5e81ee9220929dafb60fd5
Opcode Fuzzy Hash: e314cb20d225eeaf8f78cd2b3e2f50654003aad5d63f44458aeb5d35751ecb6a
Instruction Fuzzy Hash: B331A33250071A6EDF12AFB4EC49BEE77AC9F06324F194597E814E6190DB30DE458B60

Function 0039BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0039BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0039BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0039C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0039C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0039C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0039C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039C382
RegCloseKey.ADVAPI32(00000000), ref: 0039C38F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8934ee2eec06f39319172d0f9c1c3f83ed1865818ef2ef298b962010ccef4347
Instruction ID: 4dec5e7e345be2dc7b90e0014894e3357fc3ded33f9fd4a3b104ad9dc5a353ce
Opcode Fuzzy Hash: 8934ee2eec06f39319172d0f9c1c3f83ed1865818ef2ef298b962010ccef4347
Instruction Fuzzy Hash: 5D025D716142009FDB16DF28C891E2ABBE5EF89314F19849DF88ACF2A2D731ED45CB51

Function 00388195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00388257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00388267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00388273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00388310
SetCurrentDirectoryW.KERNEL32(?), ref: 00388324
SetCurrentDirectoryW.KERNEL32(?), ref: 00388356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0038838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00388395

Strings

*.*, xrefs: 0038839B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2001d3a67e89aa02c949170c42f950b979a74d8bb297d311494c17197bc03461
Instruction ID: 2e69872ed7f53c5f0b0be7a10ad3046d3970792ba58efa9ea11f25fe3314ad40
Opcode Fuzzy Hash: 2001d3a67e89aa02c949170c42f950b979a74d8bb297d311494c17197bc03461
Instruction Fuzzy Hash: 9A618D765043059FCB15EF60C8809AEB3E9FF89310F44895EF989CB251EB35E945CB92

Function 0037D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

FindFirstFileW.KERNEL32(?,?), ref: 0037D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0037D1DD
MoveFileW.KERNEL32(?,?), ref: 0037D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0037D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037D237

Part of subcall function 0037D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0037D21C,?,?), ref: 0037D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0037D253
FindClose.KERNEL32(00000000), ref: 0037D264

Strings

\*.*, xrefs: 0037D0CD, 0037D0D6, 0037D0EB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ff4ad1b7f650e4893b33e7ef129152173409d539a4dd9e5942731727733e28cd
Instruction ID: 635cb0ab5e2987c76e584acad157e7ce099a06c3b0004ed0f379d8527b0404d7
Opcode Fuzzy Hash: ff4ad1b7f650e4893b33e7ef129152173409d539a4dd9e5942731727733e28cd
Instruction Fuzzy Hash: E961823180110D9FCF1BEBE0C952AEDB779AF19300F6485A5E4067B192EB356F49DB60

Function 0038ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0038ED91
EmptyClipboard.USER32 ref: 0038ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0038EDAC
CloseClipboard.USER32 ref: 0038EEA3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5c420170d223c6da90e24c05f6312a1971d933c8d480a50a6841f81c335458d7
Instruction ID: 7debba87e1cd8ecfc2b171c84466e8facd3340a61ac826fb49a9ab9f02260459
Opcode Fuzzy Hash: 5c420170d223c6da90e24c05f6312a1971d933c8d480a50a6841f81c335458d7
Instruction Fuzzy Hash: 7641BE35204611AFE722EF15D888F59BBE9EF49318F19D099E4158F6A2C735FC42CB90

Function 0037E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
Part of subcall function 003716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
Part of subcall function 003716C3: GetLastError.KERNEL32 ref: 0037174A

ExitWindowsEx.USER32(?,00000000), ref: 0037E932

Strings

@, xrefs: 0037E925
, xrefs: 0037E920
SeShutdownPrivilege, xrefs: 0037E902
, xrefs: 0037E95C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: fc57b29da5cbf299f00f1a756bc0682957cbfaf830e72df21de848b643883232
Instruction ID: e63393e1b2158caf95cf2a37e98ced056f1db6ba5baf60ccc1c05b0d7d3cdd10
Opcode Fuzzy Hash: fc57b29da5cbf299f00f1a756bc0682957cbfaf830e72df21de848b643883232
Instruction Fuzzy Hash: B0014E73620210AFEB7626749C86FBF725C970E740F158462FE17E21D1D76C5C408290

Function 00391204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00391276
WSAGetLastError.WSOCK32 ref: 00391283
bind.WSOCK32(00000000,?,00000010), ref: 003912BA
WSAGetLastError.WSOCK32 ref: 003912C5
closesocket.WSOCK32(00000000), ref: 003912F4
listen.WSOCK32(00000000,00000005), ref: 00391303
WSAGetLastError.WSOCK32 ref: 0039130D
closesocket.WSOCK32(00000000), ref: 0039133C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9e1ff5f8299a6bf50046e4d3a5bfe471079e34958d199ac05ff5d0db87a312da
Instruction ID: ede641f6c9d65743da03cba4c44390e9a63745e38bb6dd62c677875677605df1
Opcode Fuzzy Hash: 9e1ff5f8299a6bf50046e4d3a5bfe471079e34958d199ac05ff5d0db87a312da
Instruction Fuzzy Hash: AA4193356001019FDB15EF24C488B69BBFABF46318F198588D8569F2D6C775EC81CBE1

Function 0034B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0034B9D4
_free.LIBCMT ref: 0034B9F8
_free.LIBCMT ref: 0034BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003B3700), ref: 0034BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0034BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003E1270,000000FF,?,0000003F,00000000,?), ref: 0034BC36
_free.LIBCMT ref: 0034BD4B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: eec2dcfa3727bf810f7b37aa26bc1b9a5a1dcc6738cd3b72babe467cb5215861
Instruction ID: 9f676618af9cf2b33786dc821e17f942bb994f6c7c15ad23fd019fa4a6eb47be
Opcode Fuzzy Hash: eec2dcfa3727bf810f7b37aa26bc1b9a5a1dcc6738cd3b72babe467cb5215861
Instruction Fuzzy Hash: 2FC12571A04245AFCB239F698C81BAAFBFCEF42310F15469AE591DF291E730EE418750

Function 0037D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

FindFirstFileW.KERNEL32(?,?), ref: 0037D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0037D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037D481
FindClose.KERNEL32(00000000), ref: 0037D498
FindClose.KERNEL32(00000000), ref: 0037D4A1

Strings

\*.*, xrefs: 0037D3F2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 40d372d0d343642a2a6ffc8c29f27feb4ab425992fcd2eb1ad57a366b9c5794b
Instruction ID: 298ee232e3c8915154305bf5d3444595fccfa6ad5707e42e359ec080492ea87b
Opcode Fuzzy Hash: 40d372d0d343642a2a6ffc8c29f27feb4ab425992fcd2eb1ad57a366b9c5794b
Instruction Fuzzy Hash: 1231B0710083449BC316EF60C8929EFB7E8AE9A310F408E1EF4D557191EF34AA49C763

Function 0034E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0034E645

Strings

1#QNAN, xrefs: 0034F84B
1#IND, xrefs: 0034F83D
1#INF, xrefs: 0034F852
1#SNAN, xrefs: 0034F844

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: dbaeb032bb89eebc43405a3a1bad74af848eba9cec4ef30b87339144a37e50a0
Instruction ID: dc5e6ad130cf4b0066f0efb613646219d133c394feee0ac3b98b56cd934963a5
Opcode Fuzzy Hash: dbaeb032bb89eebc43405a3a1bad74af848eba9cec4ef30b87339144a37e50a0
Instruction Fuzzy Hash: B6C22B71E046288FDB66CE289D407EAB7F9FB45305F1941EAD44DEB240E778AE818F40

Function 0038648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003864DC
CoInitialize.OLE32(00000000), ref: 00386639
CoCreateInstance.OLE32(003AFCF8,00000000,00000001,003AFB68,?), ref: 00386650
CoUninitialize.OLE32 ref: 003868D4

Strings

.lnk, xrefs: 003864BA, 00386524, 003865E0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0efff89d06eade25acad572be30ca3049f4df8e381d6433c387093e24d82bf85
Instruction ID: c6aaef12fbd3c811610540f8c8f7ddf1605b1613f030754ce5aa5810942b5940
Opcode Fuzzy Hash: 0efff89d06eade25acad572be30ca3049f4df8e381d6433c387093e24d82bf85
Instruction Fuzzy Hash: 35D14A715083019FC306EF24C892AABB7E8FF99704F04496DF5958B291EB70ED45CB92

Function 003922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003922E8

Part of subcall function 0038E4EC: GetWindowRect.USER32(?,?), ref: 0038E504

GetDesktopWindow.USER32 ref: 00392312
GetWindowRect.USER32(00000000), ref: 00392319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00392355
GetCursorPos.USER32(?), ref: 00392381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003923DF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 63b5a9e159bfa519ce68eb5f34000ecdb56e8efeb9e6a17956538e5e4e0bc50e
Instruction ID: 760323b798b97d996147f75a7510e3ee650bc4d889437708307d7367031fd0c8
Opcode Fuzzy Hash: 63b5a9e159bfa519ce68eb5f34000ecdb56e8efeb9e6a17956538e5e4e0bc50e
Instruction Fuzzy Hash: 3A31E272504715AFCB22DF15C849B5BB7ADFF89310F00091DF98997191DB34E908CB92

Function 00389B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00389B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00389C8B

Part of subcall function 00383874: GetInputState.USER32 ref: 003838CB
Part of subcall function 00383874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00383966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00389BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00389C75

Strings

*.*, xrefs: 00389B5D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 15606bd699429207f62a5c65af7bea1e6b086fd937e63e28e19cf820f746c367
Instruction ID: bd10c113e194e465101a0fa56bd8c22a263949dd9873df7e23e1bc4c1cbba217
Opcode Fuzzy Hash: 15606bd699429207f62a5c65af7bea1e6b086fd937e63e28e19cf820f746c367
Instruction Fuzzy Hash: 3441517190420AAFCF16EFA4C985BEE7BB8EF49310F144597E815A7191EB319E84CF60

Function 0032997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00329A4E
GetSysColor.USER32(0000000F), ref: 00329B23
SetBkColor.GDI32(?,00000000), ref: 00329B36

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c2a0b1a61c4d0ef213cf89bd9adaeaad1cfe6ca0d4d75d438afe9ce10f9a62ca
Instruction ID: d6486117256ad88a564875b28c035bd489c82d679d75f60183f01834a6caa332
Opcode Fuzzy Hash: c2a0b1a61c4d0ef213cf89bd9adaeaad1cfe6ca0d4d75d438afe9ce10f9a62ca
Instruction Fuzzy Hash: A8A13B70208664AEE7379A3CAC98F7B369DDF43344F16820BF102DA9D5CA259D41D271

Function 00391806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
Part of subcall function 0039304E: _wcslen.LIBCMT ref: 0039309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0039185D
WSAGetLastError.WSOCK32 ref: 00391884
bind.WSOCK32(00000000,?,00000010), ref: 003918DB
WSAGetLastError.WSOCK32 ref: 003918E6
closesocket.WSOCK32(00000000), ref: 00391915

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 35b0996fe761cd8c0cdb87e8015e8166bd082ac465c7cb4c786ee1ce9ec66616
Instruction ID: b9005b1515eadb7a85b255b836596bca7abdcc5e083447f42561f215f05e6023
Opcode Fuzzy Hash: 35b0996fe761cd8c0cdb87e8015e8166bd082ac465c7cb4c786ee1ce9ec66616
Instruction Fuzzy Hash: 6151C471A002109FEB16AF24C886F6A77E9AB49718F088458F9156F3D3C771AD418BA1

Function 003A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003A1CC0
IsWindowEnabled.USER32 ref: 003A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 003A1CDB
IsIconic.USER32 ref: 003A1CE9
IsZoomed.USER32 ref: 003A1CF7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f982aa7378ebe936aca1ce2631c2cf9b6d1f25b6c6bc45ea2e3fc95d9f2f81d7
Instruction ID: d31874e08eb2d06df81cf39e533acdfc76fec6f9afa0dd6117d4c2fda2a25f37
Opcode Fuzzy Hash: f982aa7378ebe936aca1ce2631c2cf9b6d1f25b6c6bc45ea2e3fc95d9f2f81d7
Instruction Fuzzy Hash: E121B5317402105FD7228F2AC844B6A7BE9EF9B724F199068E846CB352CB71DC42CB94

Function 00318060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00355DF0
VUUU, xrefs: 003183FA
VUUU, xrefs: 003183E8
ERCP, xrefs: 0031813C
VUUU, xrefs: 0031843C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: c62f8deb542eb35a2bac6811dae7e08d0c829e6e7b7f9cd4c9542ae1bd9fee46
Instruction ID: b0cd4d3f5291873177a6e1ae00bf094fc503e28c9bab31e497dbfed5b399bfdf
Opcode Fuzzy Hash: c62f8deb542eb35a2bac6811dae7e08d0c829e6e7b7f9cd4c9542ae1bd9fee46
Instruction Fuzzy Hash: 94A29E70A0061ACBDF2ACF58C851BEDB7B1BF58311F2585A9EC15AB290DB309DC5CB94

Function 00378298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003782AA

Strings

|, xrefs: 003782DA
tb=, xrefs: 003784F4
(, xrefs: 003782F0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb=$|
API String ID: 1659193697-3835051088
Opcode ID: 12b83d5b9b368ff364ce3d9cb6d6135cd6cb4b43890508205570b309348be73c
Instruction ID: 3cdbf00aa9a40e5a00acc1c25859f4bcf2720f7449894fc2bdf6ef38d1cf3cfa
Opcode Fuzzy Hash: 12b83d5b9b368ff364ce3d9cb6d6135cd6cb4b43890508205570b309348be73c
Instruction Fuzzy Hash: C4324478A00605DFDB29CF29C085A6AB7F0FF48710B15C46EE49ADB7A1EB74E941CB40

Function 0037AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0037AAAC
SetKeyboardState.USER32(00000080), ref: 0037AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0037AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0037AB88

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eb16b7fa4b00580cc424e5edac290422529387e58820bd8d173f3fea354ccf7e
Instruction ID: e240ca0d5d82e841a84869334d5aad9fdfdba221d5e7fdd94951224fd2c0899a
Opcode Fuzzy Hash: eb16b7fa4b00580cc424e5edac290422529387e58820bd8d173f3fea354ccf7e
Instruction Fuzzy Hash: 34310930A40A08AEFF37CA64CC05BFE77AAABC9310F04C21AF189565D1D37C9985D792

Function 0038CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0038CE89
GetLastError.KERNEL32(?,00000000), ref: 0038CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0038CEFE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 913fb5d8bc07a5aed6029df66306d97a81f93082641f0f9846577117c0766637
Instruction ID: 31c5773868c554387a15b4031c2cacbeef79271610ca2af1324bee3db81a4f9f
Opcode Fuzzy Hash: 913fb5d8bc07a5aed6029df66306d97a81f93082641f0f9846577117c0766637
Instruction Fuzzy Hash: E021BAB1510305ABEB32EFA5D988BA6B7FCEB40315F10985EE64692151EB74EE048B60

Function 00385C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00385CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00385D17
FindClose.KERNEL32(?), ref: 00385D5F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 04e2bc85dbeab34431f0c1d506a1ec7249c3dbb86aaee77562f84700945cb775
Instruction ID: bce880b67c43b8c50500afa3c073558fac1093e8a75179cfe2a65963eaa122f0
Opcode Fuzzy Hash: 04e2bc85dbeab34431f0c1d506a1ec7249c3dbb86aaee77562f84700945cb775
Instruction Fuzzy Hash: 65519A34604B019FC71AEF28C494A96B7E4FF49314F14859EE95A8B3A1CB30ED49CF91

Function 00342622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0034271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00342724
UnhandledExceptionFilter.KERNEL32(?), ref: 00342731

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6eb0f001208362f5b66ad949558c644705e1fdbea393bb7e08431fb80259b31d
Instruction ID: 347d5beac9ce9d8981687b416caba7965ad43f09a40891aacb2ca3dac60e9cdb
Opcode Fuzzy Hash: 6eb0f001208362f5b66ad949558c644705e1fdbea393bb7e08431fb80259b31d
Instruction Fuzzy Hash: 9331B47491121C9BCB22DF64DD897D9BBB8AF08310F5041EAE41CAA261E7749F858F45

Function 003851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00385238
SetErrorMode.KERNEL32(00000000), ref: 003852A1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f28b75b277d4f1fca3baf7910b6993ab681d4368bb06d9b069662b9375d07088
Instruction ID: 9bb0891a8e18ad133661013317e0e8e6206edeb74a4b6af1030ec9b024b88524
Opcode Fuzzy Hash: f28b75b277d4f1fca3baf7910b6993ab681d4368bb06d9b069662b9375d07088
Instruction Fuzzy Hash: C7314C75A10618DFDB01EF54D884EADBBB4FF49314F098499E805AF362DB31E856CB90

Function 003716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0032FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00330668
Part of subcall function 0032FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00330685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037173A
GetLastError.KERNEL32 ref: 0037174A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8e70c6a88b1b71d81d55fa21b2409ef32345d2d89153347779f1a1f6673e12d7
Instruction ID: bc94ddb81549bd4a1f370705383ad3fcf633e2a0243bd459b27e5f11c9909c16
Opcode Fuzzy Hash: 8e70c6a88b1b71d81d55fa21b2409ef32345d2d89153347779f1a1f6673e12d7
Instruction Fuzzy Hash: 8C119EB2414304AFD729AF58EC86D6ABBBDFF44714B20C52EE45A57241EB74FC41CA20

Function 0037D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0037D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0037D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0037D650

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 631ca2579b420ad53887d2996c14db9ef1d8ec6757e363c479119ecfa4a95ee4
Instruction ID: 3e1abc95d133ceb48d08ccd2a2e319183afb7e815fdc08a201a7190f0de1e1c0
Opcode Fuzzy Hash: 631ca2579b420ad53887d2996c14db9ef1d8ec6757e363c479119ecfa4a95ee4
Instruction Fuzzy Hash: 2B116175E05228BFDB218F95DC45FAFBFBCEB45B50F108115F908E7290D6744A058BA1

Function 00371663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0037168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003716A1
FreeSid.ADVAPI32(?), ref: 003716B1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eee708e877e78f275be8a664155168e1de8e2feff34974cae95fe6bbc1ce0839
Instruction ID: 14617c2f5ca9ce7a4e42ee8e90bf28f197a8b419151a477b18a7daadd54e37d4
Opcode Fuzzy Hash: eee708e877e78f275be8a664155168e1de8e2feff34974cae95fe6bbc1ce0839
Instruction Fuzzy Hash: 26F0F47195030DFBDB01DFE49C89AAEBBBCEB08704F508565E901E2181E774EA448A50

Function 0034C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0034C36C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 4cd46c81ccfffbb952217eb1782b17eaf7a109135c6447b76511c8042834a270
Instruction ID: 96fea86ddefa856cef9dc74acff9ff5189b36bd58ab00665efacda4944349d13
Opcode Fuzzy Hash: 4cd46c81ccfffbb952217eb1782b17eaf7a109135c6447b76511c8042834a270
Instruction Fuzzy Hash: 56414776901219AFCB219FB9CC88EBB77F8EB84314F104669F905DF180E670AD80CB50

Function 0036D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0036D28C

Strings

X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2d0b706607ddd87b7ff36b2769ff2149601ef54fb1ca10b060ce6c898ceadb9b
Instruction ID: 8aba0c1f7ff44ec059e12a042273d53022d2ec069ce7537d126ed1b9d747522d
Opcode Fuzzy Hash: 2d0b706607ddd87b7ff36b2769ff2149601ef54fb1ca10b060ce6c898ceadb9b
Instruction Fuzzy Hash: 3ED0CAB481116DEACB92CBA0EC88DDAB3BCBB05305F108692F106A2400DB7096488F20

Function 0033CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c38875347cbba91ff2f384e3831d3d92af91f7e9c158a12ede847d3f65b13a93
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 6C022C72E102199BDF15CFA9C8806ADFBF1EF48314F259169E819FB384D731AE418B80

Function 0031CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#>, xrefs: 0031CF7F
Variable is not of type 'Object'., xrefs: 00360C40

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#>
API String ID: 0-2427628166
Opcode ID: 15382a9732fde17c2c178724f85d26f826e78eb5613bcec2ed1cedd38ad6e65f
Instruction ID: 834a57b83e65f2f795296358f27f5e19906f1f7651d1aac15a2f5b8ec52d5660
Opcode Fuzzy Hash: 15382a9732fde17c2c178724f85d26f826e78eb5613bcec2ed1cedd38ad6e65f
Instruction Fuzzy Hash: 3A32AE30950218DBCF1EDF90D881AEEB7B9FF08304F159059E806AF296D775AD86CB60

Function 003868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00386918
FindClose.KERNEL32(00000000), ref: 00386961

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 689ec53430e18fffb7364202750fbb7e00ff610d2448be89ab91b860c5aed3a7
Instruction ID: 3e557f78219c0ee338fb755ce78bcfff1790167cfaea989d4097333be57c7f62
Opcode Fuzzy Hash: 689ec53430e18fffb7364202750fbb7e00ff610d2448be89ab91b860c5aed3a7
Instruction Fuzzy Hash: 7C11BF316142009FC715DF29D889A16BBE5FF89328F15C6A9F4698F7A2CB30EC45CB91

Function 003837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00394891,?,?,00000035,?), ref: 003837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00394891,?,?,00000035,?), ref: 003837F4

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 12997b4f1bdaa3d4f1d5a0ea35c7f1b4f216c5b5fb1b55eafda40f28dea6a4bd
Instruction ID: a0c5731f51c105c7f213d9930c0273bc8da5a0da677602e3d236f75f752254bf
Opcode Fuzzy Hash: 12997b4f1bdaa3d4f1d5a0ea35c7f1b4f216c5b5fb1b55eafda40f28dea6a4bd
Instruction Fuzzy Hash: 79F0E5B06053282AEB2227668C4DFEB3AAEEFC5B61F000275F509D2291D9609944C7B0

Function 0037B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0037B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0037B270

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cab751c3ed3cbd7c6e0d693aeaf4d78c2a7381a4d46193065f874015815adef8
Instruction ID: c0dae9d8dba79a164e3e34d3ea7c9e7e5ef9b9a6f7441357cfb0a25d54dfd7af
Opcode Fuzzy Hash: cab751c3ed3cbd7c6e0d693aeaf4d78c2a7381a4d46193065f874015815adef8
Instruction Fuzzy Hash: 6CF01D7181424DABDB169FA1C805BBEBBB4FF05309F009409F955A5192C37986119F94

Function 003710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003711FC), ref: 003710D4
CloseHandle.KERNEL32(?,?,003711FC), ref: 003710E9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d67e491825ab5904aefd641ef8c218b5bd2671415d9d0cd2c3df0cf037967692
Instruction ID: 5ba9c76b92c94db1f1d8e97547e9eafc339a1e8f41f5629ea497713109442ae5
Opcode Fuzzy Hash: d67e491825ab5904aefd641ef8c218b5bd2671415d9d0cd2c3df0cf037967692
Instruction Fuzzy Hash: 9AE04F32014610AEE7272B11FC05E7377ADEF04310F10882DF4A6844B1DB62AC90DB10

Function 0035E781 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

5, xrefs: 0035E8D2
5, xrefs: 0035E8DE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: 5$5
API String ID: 0-2059066348
Opcode ID: b45bc9b2fbb9b47a8868bd7276c8615e82fda90d44d783b27225ebcd57237363
Instruction ID: 79ae7450390ea2efe39d483ce5fbfdf0efd1bac8ae85dcdc0230442d90315077
Opcode Fuzzy Hash: b45bc9b2fbb9b47a8868bd7276c8615e82fda90d44d783b27225ebcd57237363
Instruction Fuzzy Hash: ED3172DB85EBC14FD7434A7468799827FB05B2319EB9B08DFC8819B0A3F249944BD342

Function 0034676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00346766,?,?,00000008,?,?,0034FEFE,00000000), ref: 00346998

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: dba1a1fa7ff5c071c90f4c657172927f3ece3a7ee2d8428d78ef9f806c44b493
Instruction ID: 37c769981bda6a6699f5b0e5caf6492d1f90c23633a352333291b3d2b5b5f609
Opcode Fuzzy Hash: dba1a1fa7ff5c071c90f4c657172927f3ece3a7ee2d8428d78ef9f806c44b493
Instruction Fuzzy Hash: 3CB15C71610608DFD71ACF28C48AB657BE0FF46364F268658E899CF2A2C335E991CB41

Function 0032B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0036851F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9a5368cc246238530445a7db0ed70e2a412855d411d330f49b5941db852eb4ba
Instruction ID: 53a5c2e5ae71f058156bef86490fe4ab9cd69597dfd682596f41b2c52a897225
Opcode Fuzzy Hash: 9a5368cc246238530445a7db0ed70e2a412855d411d330f49b5941db852eb4ba
Instruction Fuzzy Hash: 04127E759002299FCB26DF59D8806EEB7F5FF48310F1581AAE849EB255DB309E81CB90

Function 0038EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0038EABD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 08c56fe5ddae80a455bf700a2bdfc4ccb5a01f48741ee64167d26c521066df1b
Instruction ID: 41f3287afc7ee5089b22c0571969ed6f039620a265de7dea7e44f7c1edb3d2d1
Opcode Fuzzy Hash: 08c56fe5ddae80a455bf700a2bdfc4ccb5a01f48741ee64167d26c521066df1b
Instruction Fuzzy Hash: 72E04F312202049FC715EF59D804E9AF7EDAF99B60F048456FC49CB361DB74E8818B90

Function 003309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003303EE), ref: 003309DA

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e5fa5e63e396e64be76d2aab3615509f9d01301a67a7ddf750b100457357ac1a
Instruction ID: ac541bcb40149bd790c6c017e9df69b37a44102514ead4da9573098cf71d4b2d
Opcode Fuzzy Hash: e5fa5e63e396e64be76d2aab3615509f9d01301a67a7ddf750b100457357ac1a
Instruction Fuzzy Hash:

Function 0033781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0033798B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2596afa7f5f2fbff0445cf6369cfa028b286a5675397e858254e7c732d2a248e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 955145E160C7496BDB3B866888DFBBE63C99B02340F190A09E982DF782C715DE41D352

Function 00382046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&>, xrefs: 00382053

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: 0&>
API String ID: 0-3650462221
Opcode ID: 9927b9110a59d2c95f5bdba6ddd66edc1e643e053a4cab6745d36419ed473688
Instruction ID: 087ac536033b0e3950bc86045d24a78f6f973d2b2e8475a779bce088763bec51
Opcode Fuzzy Hash: 9927b9110a59d2c95f5bdba6ddd66edc1e643e053a4cab6745d36419ed473688
Instruction Fuzzy Hash: B321E7726206118BDB28CF79C86367F73E9A794310F15866EE4A7C73D0DE75A904CB80

Function 00346DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827d3688d1843ec670057e3cf263ef2d81aa5133a5a3494d535d55a0abb5bf7
Instruction ID: b4a998a0908f1f20b12a746c3f8349f688b2fd199d8eb4f80c26a133a4522af4
Opcode Fuzzy Hash: f827d3688d1843ec670057e3cf263ef2d81aa5133a5a3494d535d55a0abb5bf7
Instruction Fuzzy Hash: 1C322722D29F414DD7239635CC22336A68DAFB73C9F15D737F81AB9AA5EB29D4834100

Function 0032CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8575c57f584d5089946f22e22353cc732116eac48c3d62bbd1b6189a0f7736
Instruction ID: ac4c6ddf1b69b86614e8791d1f16eda3ccaf9a940183c2f49e175a17d7a3e67d
Opcode Fuzzy Hash: ba8575c57f584d5089946f22e22353cc732116eac48c3d62bbd1b6189a0f7736
Instruction Fuzzy Hash: BC322731A201258BCF27CF68D49467D7BA5EB45300F2AE56BD8C9CB699D330DE82DB41

Function 00317920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad7b11e901bc02ab5cd0f7f05300c72bb5a393d08d43f9c5dde3a44db728676
Instruction ID: 655c3714c8e236303352eae7352391d62ce950869d7b46b3fe3bf4ab3ba6181f
Opcode Fuzzy Hash: 0ad7b11e901bc02ab5cd0f7f05300c72bb5a393d08d43f9c5dde3a44db728676
Instruction Fuzzy Hash: EB22F3B0A04609DFDF1ACF64D891AEEB3F5FF48300F144529E816AB2A1EB35AD54CB50

Function 003191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cff10b74b9851d556cac40720b17a7f3795387a330236c026d641a22a1c7d6
Instruction ID: 2c9e18d9319cca61f4439ec230cf5fb115732b3f10a5851bf70cc469da4fdc64
Opcode Fuzzy Hash: 63cff10b74b9851d556cac40720b17a7f3795387a330236c026d641a22a1c7d6
Instruction Fuzzy Hash: 3C02C7B1E00119EFDB0ADF64D981AADB7B5FF44300F118569E8169B290E731EE55CB81

Function 00331C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 14ab3fa1647826752b1c5a4a33b4adc8b9474fe3abffc65ed55b298cb55b6ff9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B99187732090A34ADB6B463E85B403EFFE15A923A1B1B079DD4F2CB5C5FE24C964D620

Function 003319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: cdf3c04eabfdd9842769b9f235c072b9a893c27464cd497b1ccc4c42596bcd15
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B89155722090E34ADB6F427E85B403EFFE55A923A2B1B079DD4F2CA5C1FE14C564D620

Function 00337A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed2d48b35af4c2088797f2ce57ea49a65c0aeaa4796b51d39bff151df0ce838
Instruction ID: b93196be85d4e974fc5af9e3f007963c8aeddb7a1bf75ccc7643ae4bf325299c
Opcode Fuzzy Hash: 5ed2d48b35af4c2088797f2ce57ea49a65c0aeaa4796b51d39bff151df0ce838
Instruction Fuzzy Hash: D96147F160C749A6DE3B9A2C8CE6BBEA3A8DF41700F15091AF843DF781DA119E42C355

Function 00337CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5896acc2db83ba218c69fcbeda6c04d43676c3fb56769ff0df9bd3e452bf349
Instruction ID: 9da96e33733633f129a1a6b58769c528f5052abe94e201191ad914eaa0dcb938
Opcode Fuzzy Hash: a5896acc2db83ba218c69fcbeda6c04d43676c3fb56769ff0df9bd3e452bf349
Instruction Fuzzy Hash: 31619AF160C709A7DE3B9A2888D2BBF2398EF42744F11095AF943DF681DA16ED42C355

Function 00331706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8fa128905e570d28baff30568877f463d96da77feec4650ef5a02d10c2a06273
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 9D8184326080A349DB6F863A85B413EFFE15A923A1B1F079DD4F2CF1C1EE24C554E660

Function 00392ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00392B30
DeleteObject.GDI32(00000000), ref: 00392B43
DestroyWindow.USER32 ref: 00392B52
GetDesktopWindow.USER32 ref: 00392B6D
GetWindowRect.USER32(00000000), ref: 00392B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00392CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00392CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392CF8
GetClientRect.USER32(00000000,?), ref: 00392D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00392D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D80
GlobalLock.KERNEL32(00000000), ref: 00392D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392D98
GlobalUnlock.KERNEL32(00000000), ref: 00392DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392DA8
GlobalFree.KERNEL32(00000000), ref: 00392DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,003AFC38,00000000), ref: 00392DDB
GlobalFree.KERNEL32(00000000), ref: 00392DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00392E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00392E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00392E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039303F

Strings

, xrefs: 00392FC5
AutoIt v3, xrefs: 00392CF2
static, xrefs: 00392D3A, 00392E91
DISPLAY, xrefs: 00392EA2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 761e37d5abfbc56e78755904f9467435fe822dfbf1ae8188d9fa727d2bc4f6d2
Instruction ID: e28d38b7c16e15e068cbfe817ae830e76c02d1686c31ce1cf1bef0c84c8cc786
Opcode Fuzzy Hash: 761e37d5abfbc56e78755904f9467435fe822dfbf1ae8188d9fa727d2bc4f6d2
Instruction Fuzzy Hash: ED027A75A10205AFDB16DFA4CC89EAE7BB9EB49310F048118F915AB2A1DB74AD41CF60

Function 003A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003A712F
GetSysColorBrush.USER32(0000000F), ref: 003A7160
GetSysColor.USER32(0000000F), ref: 003A716C
SetBkColor.GDI32(?,000000FF), ref: 003A7186
SelectObject.GDI32(?,?), ref: 003A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 003A71C0
GetSysColor.USER32(00000010), ref: 003A71C8
CreateSolidBrush.GDI32(00000000), ref: 003A71CF
FrameRect.USER32(?,?,00000000), ref: 003A71DE
DeleteObject.GDI32(00000000), ref: 003A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 003A7230
FillRect.USER32(?,?,?), ref: 003A7262
GetWindowLongW.USER32(?,000000F0), ref: 003A7284

Part of subcall function 003A73E8: GetSysColor.USER32(00000012), ref: 003A7421
Part of subcall function 003A73E8: SetTextColor.GDI32(?,?), ref: 003A7425
Part of subcall function 003A73E8: GetSysColorBrush.USER32(0000000F), ref: 003A743B
Part of subcall function 003A73E8: GetSysColor.USER32(0000000F), ref: 003A7446
Part of subcall function 003A73E8: GetSysColor.USER32(00000011), ref: 003A7463
Part of subcall function 003A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003A7471
Part of subcall function 003A73E8: SelectObject.GDI32(?,00000000), ref: 003A7482
Part of subcall function 003A73E8: SetBkColor.GDI32(?,00000000), ref: 003A748B
Part of subcall function 003A73E8: SelectObject.GDI32(?,?), ref: 003A7498
Part of subcall function 003A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003A74B7
Part of subcall function 003A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003A74CE
Part of subcall function 003A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003A74DB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0e91b130b97392f5adc189f2d4785d2d68e24f986e7770ea6a65710c69736019
Instruction ID: a55f6f163d2c9ce5b42ca43f9f773fb2bdd24eedc5a73c35413a0bc3d8bac42f
Opcode Fuzzy Hash: 0e91b130b97392f5adc189f2d4785d2d68e24f986e7770ea6a65710c69736019
Instruction Fuzzy Hash: F5A1A072518301AFDB129F60DC88A6BBBEDFF4B320F101A19F962961E1D771E944CB51

Function 00328D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00328E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00366AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00366AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00366F43

Part of subcall function 00328F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00328BE8,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 00328FC5

SendMessageW.USER32(?,00001053), ref: 00366F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00366F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00366FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00366FB7

Strings

0, xrefs: 00366DCF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c8dddc5f1b162e5440bcb327a99fcdca4514f89abed6fada6b1798aed820cb3e
Instruction ID: 8d40337814461ca1fcd1eb91ee87682b3e4b410d7a864bfc4803c3c5a28ddf4f
Opcode Fuzzy Hash: c8dddc5f1b162e5440bcb327a99fcdca4514f89abed6fada6b1798aed820cb3e
Instruction Fuzzy Hash: B012DE30201251EFCB27CF14D985BAABBE9FB45340F1A8569F4858B666CB32EC51CF91

Function 00392711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0039273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0039286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00392900
GetClientRect.USER32(00000000,?), ref: 0039290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00392955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00392964
GetStockObject.GDI32(00000011), ref: 00392974
SelectObject.GDI32(00000000,00000000), ref: 00392978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00392988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00392991
DeleteDC.GDI32(00000000), ref: 0039299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00392A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00392A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00392A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00392A77
GetStockObject.GDI32(00000011), ref: 00392A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00392A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00392A97

Strings

msctls_progress32, xrefs: 00392A13
AutoIt v3, xrefs: 003928F8
static, xrefs: 0039294F, 00392A71
DISPLAY, xrefs: 0039295A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5c37923603cb7375a09ab6559848fed8dbee79d656bad3a1154e998e8d3a44b9
Instruction ID: 6e6d333c014e1f361443b23ffeb2e8129b95236d94faa915926f7c8b824fc143
Opcode Fuzzy Hash: 5c37923603cb7375a09ab6559848fed8dbee79d656bad3a1154e998e8d3a44b9
Instruction Fuzzy Hash: 5BB14B75A10615AFEB15DFA8DC89FAF7BA9EB09710F004214F915EB2D1D770AD40CBA0

Function 00384ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00384AED
GetDriveTypeW.KERNEL32(?,003ACB68,?,\\.\,003ACC08), ref: 00384BCA
SetErrorMode.KERNEL32(00000000,003ACB68,?,\\.\,003ACC08), ref: 00384D36

Strings

Unknown, xrefs: 00384BED, 00384C83
FileBackedVirtual, xrefs: 00384CEC
MMC, xrefs: 00384CDE
SCSI, xrefs: 00384C8A
ATAPI, xrefs: 00384C91
Fibre, xrefs: 00384CAD
SATA, xrefs: 00384CD0
1394, xrefs: 00384C9F
Removable, xrefs: 00384C10, 00384C15
SSD, xrefs: 00384C4A
iSCSI, xrefs: 00384CC2
RAID, xrefs: 00384CBB
ATA, xrefs: 00384C98
Fixed, xrefs: 00384C09
RAMDisk, xrefs: 00384BF4
PhysicalDrive, xrefs: 00384B76
Network, xrefs: 00384C02
Virtual, xrefs: 00384CE5
CDROM, xrefs: 00384BFB
USB, xrefs: 00384CB4
\\.\, xrefs: 00384B3F
SAS, xrefs: 00384CC9
SSA, xrefs: 00384CA6

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 304ba110dc287f13c6f12b9677068cd239cd8fc5e77496a7ff315b4c168d0bb2
Instruction ID: 10d4c1d72f975f7a57679b5fb65807939ad0b3c1981f5039a45f5a210cd509b0
Opcode Fuzzy Hash: 304ba110dc287f13c6f12b9677068cd239cd8fc5e77496a7ff315b4c168d0bb2
Instruction Fuzzy Hash: 2861D531701307ABCB07FF24D9829ACB7B9AB09300B244496F816ABF55DB75ED41DB41

Function 003A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003A7421
SetTextColor.GDI32(?,?), ref: 003A7425
GetSysColorBrush.USER32(0000000F), ref: 003A743B
GetSysColor.USER32(0000000F), ref: 003A7446
CreateSolidBrush.GDI32(?), ref: 003A744B
GetSysColor.USER32(00000011), ref: 003A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003A7471
SelectObject.GDI32(?,00000000), ref: 003A7482
SetBkColor.GDI32(?,00000000), ref: 003A748B
SelectObject.GDI32(?,?), ref: 003A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 003A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 003A7572
DrawFocusRect.USER32(?,?), ref: 003A757D
GetSysColor.USER32(00000011), ref: 003A758E
SetTextColor.GDI32(?,00000000), ref: 003A7596
DrawTextW.USER32(?,003A70F5,000000FF,?,00000000), ref: 003A75A8
SelectObject.GDI32(?,?), ref: 003A75BF
DeleteObject.GDI32(?), ref: 003A75CA
SelectObject.GDI32(?,?), ref: 003A75D0
DeleteObject.GDI32(?), ref: 003A75D5
SetTextColor.GDI32(?,?), ref: 003A75DB
SetBkColor.GDI32(?,?), ref: 003A75E5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: eea49f5ace2e6c006c416bfed77a0a0cb9d2003f33620e28b1c62f934c52768a
Instruction ID: 1b59156f1ecf2670860c177d06c1686a06addb2b5e456b5f28e5ff109d10f9fe
Opcode Fuzzy Hash: eea49f5ace2e6c006c416bfed77a0a0cb9d2003f33620e28b1c62f934c52768a
Instruction Fuzzy Hash: E5617A72D00218AFDF069FA4DC49EAEBFB9EF0A320F115125F911AB2A1D7749940CB90

Function 003A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003A1128
GetDesktopWindow.USER32 ref: 003A113D
GetWindowRect.USER32(00000000), ref: 003A1144
GetWindowLongW.USER32(?,000000F0), ref: 003A1199
DestroyWindow.USER32(?), ref: 003A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 003A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003A1245
IsWindowVisible.USER32(00000000), ref: 003A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003A12D0
GetWindowRect.USER32(00000000,?), ref: 003A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 003A130E
GetMonitorInfoW.USER32(00000000,?), ref: 003A1328
CopyRect.USER32(?,?), ref: 003A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003A13AA

Strings

tooltips_class32, xrefs: 003A11E6
(, xrefs: 003A131B
0, xrefs: 003A10D3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 84824dd36413389383aaf65ae95e20b37d6c87b1af785930d1d64f9ca3763058
Instruction ID: 39cebcc6d6f6529b564e3068ffe6f247671864b142beaa6b126002910b54c0b7
Opcode Fuzzy Hash: 84824dd36413389383aaf65ae95e20b37d6c87b1af785930d1d64f9ca3763058
Instruction Fuzzy Hash: C3B19D71608341AFDB05DF64C884BAAFBE5FF8A350F00891DF9999B2A1D771E844CB91

Function 003A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003A02E5
_wcslen.LIBCMT ref: 003A031F
_wcslen.LIBCMT ref: 003A0389
_wcslen.LIBCMT ref: 003A03F1
_wcslen.LIBCMT ref: 003A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003A0504

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

Part of subcall function 0037223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00372258
Part of subcall function 0037223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0037228A

Strings

GETTEXT, xrefs: 003A03EC, 003A0407
SELECTALL, xrefs: 003A0515
GETSELECTED, xrefs: 003A05E1
ISSELECTED, xrefs: 003A04DD
GETSUBITEMCOUNT, xrefs: 003A0384, 003A039F
SELECTCLEAR, xrefs: 003A052D
SELECTINVERT, xrefs: 003A057E
DESELECT, xrefs: 003A059C
SELECT, xrefs: 003A0548
FINDITEM, xrefs: 003A0627
VIEWCHANGE, xrefs: 003A0675
GETITEMCOUNT, xrefs: 003A0316, 003A0337
GETSELECTEDCOUNT, xrefs: 003A0470, 003A048B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e203facb4442115db95878f3789e06946ea3b1d7b2f82988769a5b3cfa2509d3
Instruction ID: ef45b636e9755e242f0df0720c482a40914f6af817aaad73fb32d8550b964477
Opcode Fuzzy Hash: e203facb4442115db95878f3789e06946ea3b1d7b2f82988769a5b3cfa2509d3
Instruction Fuzzy Hash: C7E1C1312183018FCB1ADF24C45096AB3E6FF8A314F554A6DF896AB7A1DB30ED45CB81

Function 00328891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00328968
GetSystemMetrics.USER32(00000007), ref: 00328970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0032899B
GetSystemMetrics.USER32(00000008), ref: 003289A3
GetSystemMetrics.USER32(00000004), ref: 003289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00328A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00328A3C
GetClientRect.USER32(00000000,000000FF), ref: 00328A5A
GetStockObject.GDI32(00000011), ref: 00328A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00328A81

Part of subcall function 0032912D: GetCursorPos.USER32(?), ref: 00329141
Part of subcall function 0032912D: ScreenToClient.USER32(00000000,?), ref: 0032915E
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000001), ref: 00329183
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000002), ref: 0032919D

SetTimer.USER32(00000000,00000000,00000028,003290FC), ref: 00328AA8

Strings

AutoIt v3 GUI, xrefs: 00328A20

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: de816c5e54df774eba379c511292f1c2418bbe4bf3fc4aab1436294bd10feaab
Instruction ID: e5c3affbca6e3c0f7e92986069ce595162b53b0e515611564a91b1c9eb7014fe
Opcode Fuzzy Hash: de816c5e54df774eba379c511292f1c2418bbe4bf3fc4aab1436294bd10feaab
Instruction Fuzzy Hash: F5B17C75A002199FDB16DFA8DD85BAE7BB9FB49314F114229FA15AB2D0DB30E840CB50

Function 00370D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
Part of subcall function 003710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
Part of subcall function 003710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
Part of subcall function 003710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
Part of subcall function 003710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00370DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00370E29
GetLengthSid.ADVAPI32(?), ref: 00370E40
GetAce.ADVAPI32(?,00000000,?), ref: 00370E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00370E96
GetLengthSid.ADVAPI32(?), ref: 00370EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00370EB5
HeapAlloc.KERNEL32(00000000), ref: 00370EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00370EDD
CopySid.ADVAPI32(00000000), ref: 00370EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00370F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00370F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00370F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F6E
HeapFree.KERNEL32(00000000), ref: 00370F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F7E
HeapFree.KERNEL32(00000000), ref: 00370F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00370F8E
HeapFree.KERNEL32(00000000), ref: 00370F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00370FA1
HeapFree.KERNEL32(00000000), ref: 00370FA8

Part of subcall function 00371193: GetProcessHeap.KERNEL32(00000008,00370BB1,?,00000000,?,00370BB1,?), ref: 003711A1
Part of subcall function 00371193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00370BB1,?), ref: 003711A8
Part of subcall function 00371193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00370BB1,?), ref: 003711B7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fc2182fa4671874bd3693d985b61cfd883fb4a8f7329d6f3f5bbb4be5200f89d
Instruction ID: 7204ca53e9c33df6bc080edcbf4a9e8227b45efb5ddc29a7076509e2a9fba948
Opcode Fuzzy Hash: fc2182fa4671874bd3693d985b61cfd883fb4a8f7329d6f3f5bbb4be5200f89d
Instruction Fuzzy Hash: BB714B72A0020AEBDB26DFA4DC44BAEBBBCBF06310F158115F919A6191D7759A05CB60

Function 0039C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,003ACC08,00000000,?,00000000,?,?), ref: 0039C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0039C5A4
_wcslen.LIBCMT ref: 0039C5F4
_wcslen.LIBCMT ref: 0039C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0039C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0039C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0039C84D
RegCloseKey.ADVAPI32(?), ref: 0039C881
RegCloseKey.ADVAPI32(00000000), ref: 0039C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0039C960

Strings

REG_SZ, xrefs: 0039C644
REG_DWORD, xrefs: 0039C804
REG_BINARY, xrefs: 0039C913
REG_MULTI_SZ, xrefs: 0039C6F5
REG_QWORD, xrefs: 0039C8C3
REG_EXPAND_SZ, xrefs: 0039C5CD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: bf06ad05b8a7c1502876d389ed200faae63d49e118b5839b10206e18d87a0321
Instruction ID: ef5682460535870ef45f47b7d12f1fa39eaeb38c6e33d46aa89836f14f23d560
Opcode Fuzzy Hash: bf06ad05b8a7c1502876d389ed200faae63d49e118b5839b10206e18d87a0321
Instruction Fuzzy Hash: 2B1269352142019FDB1ADF14C891A6AB7E5EF89714F09885DF88A9B3A2DB31FD41CB81

Function 003A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003A09C6
_wcslen.LIBCMT ref: 003A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A0A54
_wcslen.LIBCMT ref: 003A0A8A
_wcslen.LIBCMT ref: 003A0B06
_wcslen.LIBCMT ref: 003A0B81

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

Part of subcall function 00372BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00372BFA

Strings

UNCHECK, xrefs: 003A0D3E
GETTEXT, xrefs: 003A0C97
SELECT, xrefs: 003A0D11
CHECK, xrefs: 003A0A85, 003A0AA0
GETTOTALCOUNT, xrefs: 003A09F2, 003A0A17
EXISTS, xrefs: 003A0B7C, 003A0B97
GETSELECTED, xrefs: 003A0C4E
EXPAND, xrefs: 003A0BF8
GETITEMCOUNT, xrefs: 003A0C1E
COLLAPSE, xrefs: 003A0B01, 003A0B1C
ISCHECKED, xrefs: 003A0CE1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: dabcdd21a18aa0041a2f041effb9a153d9a2d22d8dd039d97ae0ede72a95f7cf
Instruction ID: ebab824492f91a352e2e5ea73c0e923dfab4a10f467ed3cbec1228b11f0d21de
Opcode Fuzzy Hash: dabcdd21a18aa0041a2f041effb9a153d9a2d22d8dd039d97ae0ede72a95f7cf
Instruction Fuzzy Hash: DEE1BF362083018FC71ADF24C45096AB7E2FF9A314F15895DF89AAB362D731ED85CB91

Function 0039C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
_wcslen.LIBCMT ref: 0039C9F1
_wcslen.LIBCMT ref: 0039CA68
_wcslen.LIBCMT ref: 0039CA9E
_wcslen.LIBCMT ref: 0039CAF9
_wcslen.LIBCMT ref: 0039CB2F
_wcslen.LIBCMT ref: 0039CB7F

Strings

HKLM, xrefs: 0039CA98, 0039CA9D
HKCR, xrefs: 0039CB29, 0039CB2E
HKCC, xrefs: 0039CBAC
HKEY_CURRENT_CONFIG, xrefs: 0039CB79, 0039CB7E
HKEY_USERS, xrefs: 0039CBDF
HKEY_LOCAL_MACHINE, xrefs: 0039CA62, 0039CA67
HKU, xrefs: 0039CBF0
HKEY_CLASSES_ROOT, xrefs: 0039CAF3, 0039CAF8
HKCU, xrefs: 0039CBCE
HKEY_CURRENT_USER, xrefs: 0039CBBD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: df88f9b875d44c4b7d6cbebc47fdc3b759c52cf1e622967a1d412f530491a8de
Instruction ID: 0b9768a429c7c0871af3fa7e5f0be5e1f7fecc11b9a5800051b3d6e1d629a15d
Opcode Fuzzy Hash: df88f9b875d44c4b7d6cbebc47fdc3b759c52cf1e622967a1d412f530491a8de
Instruction Fuzzy Hash: CF71033362016A8BCF23DE7CD9516BF33A5AB64760F122529F8569B284E731CD8187A0

Function 003A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003A835A
_wcslen.LIBCMT ref: 003A836E
_wcslen.LIBCMT ref: 003A8391
_wcslen.LIBCMT ref: 003A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003A5BF2), ref: 003A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003A8501
FreeLibrary.KERNEL32(?), ref: 003A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003A851D
DestroyIcon.USER32(?,?,?,?,?,003A5BF2), ref: 003A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003A8555

Strings

.dll, xrefs: 003A83AB
.icl, xrefs: 003A8368
.exe, xrefs: 003A8388

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: cddbb9ecdd6e32823110553442199c6a03121284720b0a775037ebeb2298cc37
Instruction ID: bbfa3c497a1f59793970676705fcf41bb61d3c7d79efc313a71c9dfe4a8257e3
Opcode Fuzzy Hash: cddbb9ecdd6e32823110553442199c6a03121284720b0a775037ebeb2298cc37
Instruction Fuzzy Hash: 8761C071900215BEEB16DF65CC85BFE77ACFB0AB21F104609F815DA1D1EB74A990C7A0

Function 00317778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 003177E7
#cs, xrefs: 00317873, 003178C5
Bad directive syntax error, xrefs: 0035519A
#OnAutoItStartRegister, xrefs: 00317817
#include-once, xrefs: 0031782F
#requireadmin, xrefs: 003177FF
#pragma compile, xrefs: 003177D3
#comments-start, xrefs: 0031785F, 003178B1
#ce, xrefs: 003178ED
Cannot parse #include, xrefs: 00355279
Unterminated group of comments, xrefs: 0035528C
#comments-end, xrefs: 003178D9
#include, xrefs: 00317847
', xrefs: 00355169
", xrefs: 00355153

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0402c17ec45c832790cae9a41942b87177bd144ec42b85117d0c06bbb6d766af
Instruction ID: 9d4f90b49302b35b08100c43ea31f7dbc194d5f4b74d8012954b586fd4179e9b
Opcode Fuzzy Hash: 0402c17ec45c832790cae9a41942b87177bd144ec42b85117d0c06bbb6d766af
Instruction Fuzzy Hash: 4B81D571644605ABDB27AF60DC52FFE3BB8AF19300F094025FC05AE192EB75DA85C7A1

Function 00383E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00383EF8
_wcslen.LIBCMT ref: 00383F03
_wcslen.LIBCMT ref: 00383F5A
_wcslen.LIBCMT ref: 00383F98
GetDriveTypeW.KERNEL32(?), ref: 00383FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00384059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00384087

Strings

open, xrefs: 00383F54, 00383F59
set cd door , xrefs: 00384028
type cdaudio alias cd wait, xrefs: 00384001
close, xrefs: 00383EFE, 00383F18
open , xrefs: 00383FE5
closed, xrefs: 00383F08, 00383F2D, 00383F46, 00383F7E, 00383F97
wait, xrefs: 00384044
close cd wait, xrefs: 00384072

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: f1b173554b0ba4a98c6d612625cb3f562b07760973f05a445727f8da39e51464
Instruction ID: c4572c67ca27bafa4bbe3c37243bea2b73a3e24d2edeb06fc4697a928da205ba
Opcode Fuzzy Hash: f1b173554b0ba4a98c6d612625cb3f562b07760973f05a445727f8da39e51464
Instruction Fuzzy Hash: 8B71BE726043029FC312EF24C8919AAB7F4EF98754F00496EF9A59B251EB31EE45CB91

Function 00375A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00375A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00375A40
SetWindowTextW.USER32(?,?), ref: 00375A57
GetDlgItem.USER32(?,000003EA), ref: 00375A6C
SetWindowTextW.USER32(00000000,?), ref: 00375A72
GetDlgItem.USER32(?,000003E9), ref: 00375A82
SetWindowTextW.USER32(00000000,?), ref: 00375A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00375AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00375AC3
GetWindowRect.USER32(?,?), ref: 00375ACC
_wcslen.LIBCMT ref: 00375B33
SetWindowTextW.USER32(?,?), ref: 00375B6F
GetDesktopWindow.USER32 ref: 00375B75
GetWindowRect.USER32(00000000), ref: 00375B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00375BD3
GetClientRect.USER32(?,?), ref: 00375BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00375C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00375C2F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b1aaf1c85e1a134d3062040f7552b338fe9c0094f4ea15447a94584aea52c7e1
Instruction ID: 1e28977b52d157ff5755d68e5e63c98de506fc2a1dc8b5ef3abad1ac3077d61d
Opcode Fuzzy Hash: b1aaf1c85e1a134d3062040f7552b338fe9c0094f4ea15447a94584aea52c7e1
Instruction Fuzzy Hash: 83718031900B099FDB36DFA8CE85B6EBBF9FF48704F104918E146A65A0D7B9E944CB50

Function 0038FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0038FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0038FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0038FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0038FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0038FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0038FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0038FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0038FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0038FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0038FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0038FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0038FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0038FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0038FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0038FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0038FECC
GetCursorInfo.USER32(?), ref: 0038FEDC
GetLastError.KERNEL32 ref: 0038FF1E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ac92e4127b83be36afb40c3399b932b77101aa6255c18b2b909d8cba0d5c87ed
Instruction ID: e5267bc4d73c0166f0d3866718d1a29127c3bf46546ec3bc30cbdfdc1f690d37
Opcode Fuzzy Hash: ac92e4127b83be36afb40c3399b932b77101aa6255c18b2b909d8cba0d5c87ed
Instruction Fuzzy Hash: 264161B0D083196EDB119FBA8C8985EBFE8FF04754B50456AE119EB281DB78A901CF90

Function 003730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037318D
_wcslen.LIBCMT ref: 003731F8

Strings

CLASS, xrefs: 00373188, 003731A5
[=, xrefs: 0037339A
CLASSNN, xrefs: 003731F3, 00373204
INSTANCE, xrefs: 00373453
NAME, xrefs: 00373335, 00373346
REGEXPCLASS, xrefs: 00373255, 00373266
TEXT, xrefs: 0037347C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[=
API String ID: 176396367-3092650863
Opcode ID: 4b236b8d2660def2a80322bad463fe178d14c67c8cd09b9bbf05f88c13b9d175
Instruction ID: 7cd93e86e75eb2262e3dbda9b299ac4ceafe9fc51b7225e943d372c61ed8864a
Opcode Fuzzy Hash: 4b236b8d2660def2a80322bad463fe178d14c67c8cd09b9bbf05f88c13b9d175
Instruction Fuzzy Hash: 35E1D532A00516ABCB3A9F74C4917FEBBB4BF44710F55C11AE45AF7240DB34AE85A790

Function 003300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003300C6

Part of subcall function 003300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003E070C,00000FA0,6A8554B8,?,?,?,?,003523B3,000000FF), ref: 0033011C
Part of subcall function 003300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003523B3,000000FF), ref: 00330127
Part of subcall function 003300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003523B3,000000FF), ref: 00330138
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0033014E
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0033015C
Part of subcall function 003300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0033016A
Part of subcall function 003300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00330195
Part of subcall function 003300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003301A0

___scrt_fastfail.LIBCMT ref: 003300E7

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

Strings

InitializeConditionVariable, xrefs: 00330148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00330122
kernel32.dll, xrefs: 00330133
SleepConditionVariableCS, xrefs: 00330154
WakeAllConditionVariable, xrefs: 00330162

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 97c0c68a480e6d027182bd5eadd21a2feede73f4c3f382ef17adb0b3140a7b3a
Instruction ID: b07f5e0ea3d28d150b65201d0169390317c649bce90a45cd1a118928ed88cfe4
Opcode Fuzzy Hash: 97c0c68a480e6d027182bd5eadd21a2feede73f4c3f382ef17adb0b3140a7b3a
Instruction Fuzzy Hash: 6F21F936A547106FD72B6BB4AC95B6A73ACDB06F51F010135F801A66D1DBB49C008A90

Function 003844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,003ACC08), ref: 00384527
_wcslen.LIBCMT ref: 0038453B
_wcslen.LIBCMT ref: 00384599
_wcslen.LIBCMT ref: 003845F4
_wcslen.LIBCMT ref: 0038463F
_wcslen.LIBCMT ref: 003846A7

Part of subcall function 0032F9F2: _wcslen.LIBCMT ref: 0032F9FD

GetDriveTypeW.KERNEL32(?,003D6BF0,00000061), ref: 00384743

Strings

fixed, xrefs: 00384635, 0038463A
removable, xrefs: 003845EA, 003845EF
all, xrefs: 00384531, 00384536
unknown, xrefs: 00384708
network, xrefs: 0038469D, 003846A2
cdrom, xrefs: 0038458F, 00384594
ramdisk, xrefs: 003846F1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ba32432c3872fd1d3da0e743f813e3280c6380ec984e09e71665e8f87c6c49eb
Instruction ID: 717dae6aba2ae25685e37f7a1469dc6ad24b6bded703241ac81e0f3ea196e4b3
Opcode Fuzzy Hash: ba32432c3872fd1d3da0e743f813e3280c6380ec984e09e71665e8f87c6c49eb
Instruction Fuzzy Hash: B0B126316083039FC716EF28C891A6EB7E5BFAA720F51495DF4A6C7691E730D884CB52

Function 003A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

DragQueryPoint.SHELL32(?,?), ref: 003A9147

Part of subcall function 003A7674: ClientToScreen.USER32(?,?), ref: 003A769A
Part of subcall function 003A7674: GetWindowRect.USER32(?,?), ref: 003A7710
Part of subcall function 003A7674: PtInRect.USER32(?,?,003A8B89), ref: 003A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 003A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 003A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 003A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 003A9277
DragFinish.SHELL32(?), ref: 003A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003A9371

Strings

p#>, xrefs: 003A92BB
@GUI_DRAGFILE, xrefs: 003A9320
@GUI_DRAGID, xrefs: 003A92E9
@GUI_DROPID, xrefs: 003A929E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#>
API String ID: 221274066-2972201462
Opcode ID: d220697adb0be2d418ea9884d54a500acf0750f2302a5a7bd72d1509a2563484
Instruction ID: ca605421b9105303a06e925fee75c98f94232a083fb2b4ce62d523c425c3663e
Opcode Fuzzy Hash: d220697adb0be2d418ea9884d54a500acf0750f2302a5a7bd72d1509a2563484
Instruction Fuzzy Hash: 06615C71108301AFC706DF65DC85EAFBBE8EF8A750F000A1EF595971A1DB709A49CB92

Function 0031326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003E1990), ref: 00352F8D
GetMenuItemCount.USER32(003E1990), ref: 0035303D
GetCursorPos.USER32(?), ref: 00353081
SetForegroundWindow.USER32(00000000), ref: 0035308A
TrackPopupMenuEx.USER32(003E1990,00000000,?,00000000,00000000,00000000), ref: 0035309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003530A9

Strings

0, xrefs: 0031327D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 949fa149c00f1f50091b8f782b9507f6b101c42db16ec75068f8579b2065a04e
Instruction ID: 42938277add25ad059b3582f559a8a65ab8ded97ad376b9b8ce3c3c85f43ed49
Opcode Fuzzy Hash: 949fa149c00f1f50091b8f782b9507f6b101c42db16ec75068f8579b2065a04e
Instruction Fuzzy Hash: D2711770644205BEEB279F25DC49FAABF68FF06364F204216F9156A1F0C7B1AD54CB90

Function 003A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 003A6DEB

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A6E94
DestroyWindow.USER32(?), ref: 003A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00310000,00000000), ref: 003A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A6EFD
GetDesktopWindow.USER32 ref: 003A6F16
GetWindowRect.USER32(00000000), ref: 003A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003A6F4D

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

Strings

tooltips_class32, xrefs: 003A6E58, 003A6EDD
0, xrefs: 003A6D98

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 291d26145a93ef57d167ffde8b6875c1d6c5950b76a9bff8034400bbf1c3120b
Instruction ID: 27f2126273496dd47ba3946dbf2fe3d88eb6679c181b4fe8f8e08d573dd99259
Opcode Fuzzy Hash: 291d26145a93ef57d167ffde8b6875c1d6c5950b76a9bff8034400bbf1c3120b
Instruction Fuzzy Hash: 28715874144244AFDB22CF18DC55FAABBE9FB8A304F08451EF999872A1C770A945CB51

Function 0038C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0038C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0038C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0038C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0038C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0038C5F0
InternetCloseHandle.WININET(00000000), ref: 0038C5FB

Strings

, xrefs: 0038C575

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a616765e36753d35e31f723015c172f40aea7374fc753d704ba606ef75e46cb5
Instruction ID: b352ac00af0ea46f1d5c1ac28564839366071f33e6b2d1e126dcc58ae32d4f23
Opcode Fuzzy Hash: a616765e36753d35e31f723015c172f40aea7374fc753d704ba606ef75e46cb5
Instruction Fuzzy Hash: F7516CB0510304BFDB23AF61C988AAB7BFCFB0A344F006459F94596650DB35E944DB70

Function 003A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85BA
GlobalLock.KERNEL32(00000000), ref: 003A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85D7
GlobalUnlock.KERNEL32(00000000), ref: 003A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003AFC38,?), ref: 003A8611
GlobalFree.KERNEL32(00000000), ref: 003A8621
GetObjectW.GDI32(?,00000018,?), ref: 003A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003A8671
DeleteObject.GDI32(?), ref: 003A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003A86AF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0ff3ca48061ff68ef9a249f0bf3b9549d15963bf63d065d579228f6845ef03ef
Instruction ID: e3c6692f64d59378b8bf1504dbddbc564e67d6ae4c5a1148d19222c6bd173c0d
Opcode Fuzzy Hash: 0ff3ca48061ff68ef9a249f0bf3b9549d15963bf63d065d579228f6845ef03ef
Instruction Fuzzy Hash: E841F875610208AFDB12DFA5DC88EAABBBCFF8AB11F154558F905E7260DB349D01CB60

Function 003814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00381502
VariantCopy.OLEAUT32(?,?), ref: 0038150B
VariantClear.OLEAUT32(?), ref: 00381517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00381657
VariantInit.OLEAUT32(?), ref: 00381708
SysFreeString.OLEAUT32(?), ref: 0038178C
VariantClear.OLEAUT32(?), ref: 003817D8
VariantClear.OLEAUT32(?), ref: 003817E7
VariantInit.OLEAUT32(00000000), ref: 00381823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00381625
Default, xrefs: 003816AF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 791563d9b91d3c1f94dac181a3b28388d9e74fb4890dc15fd9530f91703cd8bf
Instruction ID: c9d492b12914623bd2a224d3c7a9423747c20ef3f78bc2027c87cce77d84f243
Opcode Fuzzy Hash: 791563d9b91d3c1f94dac181a3b28388d9e74fb4890dc15fd9530f91703cd8bf
Instruction Fuzzy Hash: E8D10432600215DBDB16AF65E885BBDB7BDBF86700F10809AF446AF580DB30DC42DB51

Function 0039B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0039B80A
RegCloseKey.ADVAPI32(?), ref: 0039B87E
RegCloseKey.ADVAPI32(?), ref: 0039B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0039B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0039B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0039B922
FreeLibrary.KERNEL32(00000000), ref: 0039B983
RegCloseKey.ADVAPI32(00000000), ref: 0039B994

Strings

advapi32.dll, xrefs: 0039B8ED
RegDeleteKeyExW, xrefs: 0039B8FE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 915f3fc1363e28ab4fb38e2359f346a8137fc0d446918a5c3120a99d6b067dab
Instruction ID: 5b383b2e3b9ac71b348b3492f40b4d55442e7702d5e3cbc9b785ec6f70fa5631
Opcode Fuzzy Hash: 915f3fc1363e28ab4fb38e2359f346a8137fc0d446918a5c3120a99d6b067dab
Instruction Fuzzy Hash: EFC1AE30218201AFDB16DF14D595F6AFBE5BF88308F15859CF59A4B2A2CB31EC85CB91

Function 0039255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003925E8
CreateCompatibleDC.GDI32(?), ref: 003925F4
SelectObject.GDI32(00000000,?), ref: 00392601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0039266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003926D0
SelectObject.GDI32(?,?), ref: 003926D8
DeleteObject.GDI32(?), ref: 003926E1
DeleteDC.GDI32(?), ref: 003926E8
ReleaseDC.USER32(00000000,?), ref: 003926F3

Strings

(, xrefs: 0039268D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b0f51f1ac4ef8c95d2c74f478f83274471af12299424548455c157ab69add406
Instruction ID: b84130b1cef584695dc8661ccb284b3e4c58a1c8004e5d882a6d8609b2e97819
Opcode Fuzzy Hash: b0f51f1ac4ef8c95d2c74f478f83274471af12299424548455c157ab69add406
Instruction Fuzzy Hash: 7761E375E00219EFCF06CFA4D884AAEBBF9FF48310F208529E955A7250D770A941CF90

Function 0034DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0034DAA1

Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D659
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D66B
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D67D
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D68F
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6A1
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6B3
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6C5
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6D7
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6E9
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D6FB
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D70D
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D71F
Part of subcall function 0034D63C: _free.LIBCMT ref: 0034D731

_free.LIBCMT ref: 0034DA96

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034DAB8
_free.LIBCMT ref: 0034DACD
_free.LIBCMT ref: 0034DAD8
_free.LIBCMT ref: 0034DAFA
_free.LIBCMT ref: 0034DB0D
_free.LIBCMT ref: 0034DB1B
_free.LIBCMT ref: 0034DB26
_free.LIBCMT ref: 0034DB5E
_free.LIBCMT ref: 0034DB65
_free.LIBCMT ref: 0034DB82
_free.LIBCMT ref: 0034DB9A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1e5be4842a00645fced3e6d8b30c40849401ed6fa881d3def179605720683f39
Instruction ID: 17209ead028a21b35f35c7ed12b8065dbe8aa8623b30fb7877be6497231f9f53
Opcode Fuzzy Hash: 1e5be4842a00645fced3e6d8b30c40849401ed6fa881d3def179605720683f39
Instruction Fuzzy Hash: 1A312A326046059FEB23AA39E845B5B77E9FF01310F56441AF449EF291DB31BC50C720

Function 0037365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0037369C
_wcslen.LIBCMT ref: 003736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00373797
GetClassNameW.USER32(?,?,00000400), ref: 0037380C
GetDlgCtrlID.USER32(?), ref: 0037385D
GetWindowRect.USER32(?,?), ref: 00373882
GetParent.USER32(?), ref: 003738A0
ScreenToClient.USER32(00000000), ref: 003738A7
GetClassNameW.USER32(?,?,00000100), ref: 00373921
GetWindowTextW.USER32(?,?,00000400), ref: 0037395D

Strings

%s%u, xrefs: 00373734

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 16393c9ec2419daf3344007b1244e1c3fd0d0826381e90d3391011ac9d681605
Instruction ID: 6925c07ca8e5a3a5d1c46e8ee47dc886d45094cd95868daef0ae5bff3aca7334
Opcode Fuzzy Hash: 16393c9ec2419daf3344007b1244e1c3fd0d0826381e90d3391011ac9d681605
Instruction Fuzzy Hash: 2191D171204606AFD72ADF24C885BEAF7E8FF45310F008629FA9DD6190DB34EA45DB91

Function 00374954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00374994
GetWindowTextW.USER32(?,?,00000400), ref: 003749DA
_wcslen.LIBCMT ref: 003749EB
CharUpperBuffW.USER32(?,00000000), ref: 003749F7
_wcsstr.LIBVCRUNTIME ref: 00374A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00374A64
GetWindowTextW.USER32(?,?,00000400), ref: 00374A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00374AE6
GetClassNameW.USER32(?,?,00000400), ref: 00374B20
GetWindowRect.USER32(?,?), ref: 00374B8B

Strings

ThumbnailClass, xrefs: 00374A6F, 00374AF1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cb8c4c143f1614477d519f0605bb54c6bc9c313b58a692eccbb524529ebec441
Instruction ID: 0adddcd26b93210ef3d1f22b9a3576a1b0a3cca8de4476ffce986469e07c691b
Opcode Fuzzy Hash: cb8c4c143f1614477d519f0605bb54c6bc9c313b58a692eccbb524529ebec441
Instruction Fuzzy Hash: F491C1311042099FDB26DF14C981BAA77E8FF84314F05C46AFD899A196EB38FD45CBA1

Function 003A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003A8D5A
GetFocus.USER32 ref: 003A8D6A
GetDlgCtrlID.USER32(00000000), ref: 003A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003A8ECF
GetMenuItemCount.USER32(?), ref: 003A8EEC
GetMenuItemID.USER32(?,00000000), ref: 003A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003A8FA1

Strings

0, xrefs: 003A8E9F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fdb27f536e82a0432c31f5120d8c8fd6ca4a334681203a577164469a92fcee23
Instruction ID: 1d72520492553d7bf84d3f05ada71bc42bf1cc252b48737929ec8e887eb01a1f
Opcode Fuzzy Hash: fdb27f536e82a0432c31f5120d8c8fd6ca4a334681203a577164469a92fcee23
Instruction Fuzzy Hash: B381B1715083019FDB22CF24D884EABBBE9FF8A754F150A1DF9959B291DB70D900CBA1

Function 0037DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0037DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0037DC46
_wcslen.LIBCMT ref: 0037DC50
_wcsstr.LIBVCRUNTIME ref: 0037DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0037DCBC

Strings

%u.%u.%u.%u, xrefs: 0037DD9A
StringFileInfo\, xrefs: 0037DC8F
\VarFileInfo\Translation, xrefs: 0037DCB4
04090000, xrefs: 0037DCF2
DefaultLangCodepage, xrefs: 0037DD1F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 005a3802584f780638a52aa303e1fd7d626df76e7e95b9c373f161de58b6ae48
Instruction ID: 82ed8656575b57d6c3431dd91fae9dd993edd9cb60f32b0dbe1dc83fe7e0f673
Opcode Fuzzy Hash: 005a3802584f780638a52aa303e1fd7d626df76e7e95b9c373f161de58b6ae48
Instruction Fuzzy Hash: 124128329402107ADB27A774AC83FFF77BCEF56710F10406AF904EA182EB79990097A4

Function 0039CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0039CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0039CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0039CD48

Part of subcall function 0039CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0039CCAA
Part of subcall function 0039CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0039CCBD
Part of subcall function 0039CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0039CCCF
Part of subcall function 0039CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0039CD05
Part of subcall function 0039CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0039CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0039CCF3

Strings

advapi32.dll, xrefs: 0039CCB8
RegDeleteKeyExW, xrefs: 0039CCC9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 48a3869c15e86c7fd00a5199429dc0987ba020bfd2fb73b6e49c6565c5d39006
Instruction ID: de762413c6cc998d329aee5097b8c592d930560df545824fe8fee9c4feea8a61
Opcode Fuzzy Hash: 48a3869c15e86c7fd00a5199429dc0987ba020bfd2fb73b6e49c6565c5d39006
Instruction Fuzzy Hash: 9F316C72A11129BBDB22CB54DC88EFFBB7CEF46750F011165E906E2240DA349E46DAA0

Function 00383D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00383D40
_wcslen.LIBCMT ref: 00383D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00383D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00383DBE
RemoveDirectoryW.KERNEL32(?), ref: 00383DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00383E55
CloseHandle.KERNEL32(00000000), ref: 00383E60
CloseHandle.KERNEL32(00000000), ref: 00383E6B

Strings

\, xrefs: 00383D77
\??\%s, xrefs: 00383D5B
:, xrefs: 00383D82

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 82af3fb8f38808b6e6705b655dc19a18c8ed42730605db853bc5215e24a1cb15
Instruction ID: 7011baf2b5383df35136764f30c6c664f285b67ae6610debcdd07979a29b41fa
Opcode Fuzzy Hash: 82af3fb8f38808b6e6705b655dc19a18c8ed42730605db853bc5215e24a1cb15
Instruction Fuzzy Hash: A431C676910209ABDB22AFA0DC49FEF37BCEF89B00F1141B5F505D6160EB7497488B24

Function 0037E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0037E6B4

Part of subcall function 0032E551: timeGetTime.WINMM(?,?,0037E6D4), ref: 0032E555

Sleep.KERNEL32(0000000A), ref: 0037E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0037E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0037E727
SetActiveWindow.USER32 ref: 0037E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0037E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0037E773
Sleep.KERNEL32(000000FA), ref: 0037E77E
IsWindow.USER32 ref: 0037E78A
EndDialog.USER32(00000000), ref: 0037E79B

Strings

BUTTON, xrefs: 0037E719

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7fb0afacd5769b009c1e68de4396793e9b6ddf2c3e0ce204801521a533a1d6ed
Instruction ID: 33354c80dbf78af15d599005e6fae3a9c7a88bf2b0656a4ec0ad450ae0d688c7
Opcode Fuzzy Hash: 7fb0afacd5769b009c1e68de4396793e9b6ddf2c3e0ce204801521a533a1d6ed
Instruction Fuzzy Hash: DE21C670210284AFEF335F24ECC9A263B6DF75A348F109565F45D851F1DBF5AC008A24

Function 0037E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0037EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0037EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0037EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0037EAA7

Strings

close PlayMe, xrefs: 0037EA6E, 0037EA9B
play PlayMe wait, xrefs: 0037EA91
open , xrefs: 0037EA0C
status PlayMe mode, xrefs: 0037EA58
play PlayMe, xrefs: 0037EAA2
alias PlayMe, xrefs: 0037EA36

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3e849ca3d13fa1847cc0360e9c9aca65d09cc5673e2053cc2661a3bfee5001f3
Instruction ID: 91a05a9dcfe1e0e5987584311d7b57cb816c7d273f0160bef361ace2e8e1390b
Opcode Fuzzy Hash: 3e849ca3d13fa1847cc0360e9c9aca65d09cc5673e2053cc2661a3bfee5001f3
Instruction Fuzzy Hash: 9C11C632A9025979D726A7A1EC5BEFF6B7CEBD5B00F00042AF821A60D0EF701D45C5B0

Function 00375CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00375CE2
GetWindowRect.USER32(00000000,?), ref: 00375CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00375D59
GetDlgItem.USER32(?,00000002), ref: 00375D69
GetWindowRect.USER32(00000000,?), ref: 00375D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00375DCF
GetDlgItem.USER32(?,000003E9), ref: 00375DDD
GetWindowRect.USER32(00000000,?), ref: 00375DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00375E31
GetDlgItem.USER32(?,000003EA), ref: 00375E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00375E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00375E67

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8f0931878f95751094c108d339d1eff80507db6f9f8d15552a083d0dbd3f67de
Instruction ID: b0f9445f196445a61919b8ef0edb2c4a749c6b6945451c5a429f2b4f07ca748e
Opcode Fuzzy Hash: 8f0931878f95751094c108d339d1eff80507db6f9f8d15552a083d0dbd3f67de
Instruction Fuzzy Hash: 15512F71B10609AFDF19CF68DD89AAEBBB9FB48300F159129F519E7290D7749E00CB50

Function 00328BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00328F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00328BE8,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 00328FC5

DestroyWindow.USER32(?), ref: 00328C81
KillTimer.USER32(00000000,?,?,?,?,00328BBA,00000000,?), ref: 00328D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00366973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 003669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000,?), ref: 003669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00328BBA,00000000), ref: 003669D4
DeleteObject.GDI32(00000000), ref: 003669E6

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f0418bafe160ef2cf56766016eb92b0354112897c9d657e620a1f856d27fcada
Instruction ID: c681ac23b459064988e1b865e8d29d22f79ae20f6feb81faa804d431f53980e8
Opcode Fuzzy Hash: f0418bafe160ef2cf56766016eb92b0354112897c9d657e620a1f856d27fcada
Instruction Fuzzy Hash: 8461BD31503620DFCB379F14EA89B29B7F9FB41312F16961CE0429A9A4CB31AC90CF90

Function 00329838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00329944: GetWindowLongW.USER32(?,000000EB), ref: 00329952

GetSysColor.USER32(0000000F), ref: 00329862

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eb8aa00a0b17dc7261244fe9918ab6aad5957e2569ab3102c5e9f98c56a53410
Instruction ID: 951c297d77944541216150d96639ea95df37b1a3922b42dd6dce529c5abd3549
Opcode Fuzzy Hash: eb8aa00a0b17dc7261244fe9918ab6aad5957e2569ab3102c5e9f98c56a53410
Instruction Fuzzy Hash: 2341B7315046509FDB275F38AC88BB93BA9FB17330F594656F9A28B1E1D7319C42DB10

Function 00348D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.3, xrefs: 0034903A, 00348FD0, 00348FF2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: .3
API String ID: 0-376848344
Opcode ID: 494addb71db35ff5f452154437375fd7fb30e115d94b864f16d4f99c8ac8bdda
Instruction ID: 88cdbfff4dcc2c9b73d67730a7d5afe98b2c88a833b0744496ef18c535865318
Opcode Fuzzy Hash: 494addb71db35ff5f452154437375fd7fb30e115d94b864f16d4f99c8ac8bdda
Instruction Fuzzy Hash: A0C1C374D04249AFDB13DFA8D885BAEBBF4AF09310F15415AF414AF392C770A942CB61

Function 003796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0035F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00379717
LoadStringW.USER32(00000000,?,0035F7F8,00000001), ref: 00379720

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0035F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00379742
LoadStringW.USER32(00000000,?,0035F7F8,00000001), ref: 00379745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00379866

Strings

^ ERROR, xrefs: 003797FB
Line %d:, xrefs: 003797A0
Line %d (File "%s"):, xrefs: 0037978F
Error: , xrefs: 0037981D
%s (%d) : ==> %s: %s %s, xrefs: 0037984A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: a2457e20d8c2816043de57b15ba6b2e5a39c67e915185220762a8a5bcfd34dcb
Instruction ID: 20ddfb70e3f534fcb1a0d97a56483d1faf4b08dfadb2ea7b94147346732187f9
Opcode Fuzzy Hash: a2457e20d8c2816043de57b15ba6b2e5a39c67e915185220762a8a5bcfd34dcb
Instruction Fuzzy Hash: DF4164729001096ACB1AEBD0DD53EEE737CAF19340F104566F60576091EB356F88CB61

Function 003706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00370804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0037082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00370837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037083C

Strings

\IPC$, xrefs: 00370784
SOFTWARE\Classes\, xrefs: 0037070E
\CLSID, xrefs: 00370724

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 681e0962aa945bbd224c06dc4a24df68a8b3563b0bd2b64f6df4f88c6e025fb0
Instruction ID: 2be3a37e0f30e2b260e5c910957acb3d4a7934b4afd2684c65ec2557d7b20bdf
Opcode Fuzzy Hash: 681e0962aa945bbd224c06dc4a24df68a8b3563b0bd2b64f6df4f88c6e025fb0
Instruction Fuzzy Hash: 1A411A72C10229EBCF2AEBA4DC95DEDB778BF08350F05412AE905A7160EB349E44CB90

Function 00393C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00393C5C
CoInitialize.OLE32(00000000), ref: 00393C8A
CoUninitialize.OLE32 ref: 00393C94
_wcslen.LIBCMT ref: 00393D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00393DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00393ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00393F0E
CoGetObject.OLE32(?,00000000,003AFB98,?), ref: 00393F2D
SetErrorMode.KERNEL32(00000000), ref: 00393F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00393FC4
VariantClear.OLEAUT32(?), ref: 00393FD8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a959a059d4e286baebe8ec9766a121351ef9ef16afc390fe9979df1b4eddbe3
Instruction ID: 84041a0b049bc18beca526641ff187b20a9ce0e69a69f7f1a817222e123502e5
Opcode Fuzzy Hash: 9a959a059d4e286baebe8ec9766a121351ef9ef16afc390fe9979df1b4eddbe3
Instruction Fuzzy Hash: 43C135B16083059FDB02DF68C88492BBBE9FF89744F10491DF98A9B210DB31EE45CB52

Function 00387A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00387AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00387B8F
SHGetDesktopFolder.SHELL32(?), ref: 00387BA3
CoCreateInstance.OLE32(003AFD08,00000000,00000001,003D6E6C,?), ref: 00387BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00387C74
CoTaskMemFree.OLE32(?,?), ref: 00387CCC
SHBrowseForFolderW.SHELL32(?), ref: 00387D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00387D7A
CoTaskMemFree.OLE32(00000000), ref: 00387D81
CoTaskMemFree.OLE32(00000000), ref: 00387DD6
CoUninitialize.OLE32 ref: 00387DDC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 979b49b3ced7f2c472525339d3b97a4d61752772cc6d8910532b43f74322c684
Instruction ID: d23cc065c9d7e35a97aa189b92605d7510e607be41859046ea8fbc8b13b9fb81
Opcode Fuzzy Hash: 979b49b3ced7f2c472525339d3b97a4d61752772cc6d8910532b43f74322c684
Instruction Fuzzy Hash: 7AC11C75A04209AFCB15DFA4C884DAEBBF9FF49304B158499E819DB361D730EE45CB90

Function 003A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A5515
CharNextW.USER32(00000158), ref: 003A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A55AC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 761399b0d3185f2b1250898f00c0c4a4c637f1270c8a7173c758807d3cd3b01f
Instruction ID: b69d744a85d5773b025e1fe49b4ed9bf5ba5ea059e2d049c9c7121783512d938
Opcode Fuzzy Hash: 761399b0d3185f2b1250898f00c0c4a4c637f1270c8a7173c758807d3cd3b01f
Instruction Fuzzy Hash: F1617C31904608EBDF12DF55CC849FE7BBDEB0B721F154149F925AA2A1D7748A80DBA0

Function 0036FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0036FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0036FB08
VariantInit.OLEAUT32(?), ref: 0036FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0036FB3A
VariantCopy.OLEAUT32(?,?), ref: 0036FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0036FBA1
VariantClear.OLEAUT32(?), ref: 0036FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0036FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0036FBCC
VariantClear.OLEAUT32(?), ref: 0036FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0036FBE9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 813896d591f770ecbdb8008e48b021150822f5c4125961a1236e41ab2c1b22f1
Instruction ID: 0ef4b8a7c494032caa92e894466da6b28a2093d30974b61427f865aa8229031c
Opcode Fuzzy Hash: 813896d591f770ecbdb8008e48b021150822f5c4125961a1236e41ab2c1b22f1
Instruction Fuzzy Hash: 71416335A00219DFCB06DFA9D8549EDBBB9FF09344F00D069E905AB261CB30E945CFA0

Function 00379C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00379CA1
GetAsyncKeyState.USER32(000000A0), ref: 00379D22
GetKeyState.USER32(000000A0), ref: 00379D3D
GetAsyncKeyState.USER32(000000A1), ref: 00379D57
GetKeyState.USER32(000000A1), ref: 00379D6C
GetAsyncKeyState.USER32(00000011), ref: 00379D84
GetKeyState.USER32(00000011), ref: 00379D96
GetAsyncKeyState.USER32(00000012), ref: 00379DAE
GetKeyState.USER32(00000012), ref: 00379DC0
GetAsyncKeyState.USER32(0000005B), ref: 00379DD8
GetKeyState.USER32(0000005B), ref: 00379DEA

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 713e866110934d9a2f4eebfe689964b8a0ab329143406aac22fb5f57df2280f9
Instruction ID: 2221140bc4ee4ad0030e6670a2894eec08b2c76c720198eecef269277154b5a3
Opcode Fuzzy Hash: 713e866110934d9a2f4eebfe689964b8a0ab329143406aac22fb5f57df2280f9
Instruction Fuzzy Hash: B341C9345047CA6DFF33966488043B5BEE16F13344F09C25BDACA565C2EBAD99C4C792

Function 0039055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003905BC
inet_addr.WSOCK32(?), ref: 0039061C
gethostbyname.WSOCK32(?), ref: 00390628
IcmpCreateFile.IPHLPAPI ref: 00390636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003907B9
WSACleanup.WSOCK32 ref: 003907BF

Strings

Ping, xrefs: 00390676

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8042003f23896a2df2a13d2722d00b6a7bc27ccb6fe37c2722e2e5de693eaa07
Instruction ID: 59773b7a7a58cd745d0c3ba92970a3b37b9a7f66239f29c1bdd1e310c04bec76
Opcode Fuzzy Hash: 8042003f23896a2df2a13d2722d00b6a7bc27ccb6fe37c2722e2e5de693eaa07
Instruction Fuzzy Hash: 07918D356082019FDB26DF15D488F1ABBE4EF49328F1585A9E4698F6A2C730EC81CF91

Function 00398CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00398CF3

Part of subcall function 00378E54: _wcslen.LIBCMT ref: 00378E77

_wcslen.LIBCMT ref: 00398D4E
_wcslen.LIBCMT ref: 00398D9C
_wcslen.LIBCMT ref: 00398DDC
_wcslen.LIBCMT ref: 00398E6E

Strings

winapi, xrefs: 00398D96, 00398D9B
cdecl, xrefs: 00398D48, 00398D4D
stdcall, xrefs: 00398DD6, 00398DDB
none, xrefs: 00398E65, 00398E6A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 48b01f59a03893d666e8eba7654bad6d34c59a82c8125c995354807eecce236d
Instruction ID: 6b8800b0ad741a03746cf7d30a86ec7fe1057153adad4ea6516c9156f6487a6f
Opcode Fuzzy Hash: 48b01f59a03893d666e8eba7654bad6d34c59a82c8125c995354807eecce236d
Instruction Fuzzy Hash: 6151A432A041169BCF16DF6CC9519BEB7A5BFA6724B214229E426EB3C4DF31DD40C790

Function 0039372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00393774
CoUninitialize.OLE32 ref: 0039377F
CoCreateInstance.OLE32(?,00000000,00000017,003AFB78,?), ref: 003937D9
IIDFromString.OLE32(?,?), ref: 0039384C
VariantInit.OLEAUT32(?), ref: 003938E4
VariantClear.OLEAUT32(?), ref: 00393936

Strings

Invalid parameter, xrefs: 00393865
NULL Pointer assignment, xrefs: 0039381E
Failed to create object, xrefs: 003937E4, 0039389A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e41a242d56c25781a8c8f9712849403c60367eab4f1b8575c238d8bea8a59dc4
Instruction ID: c6759340ed5aaf227299786343b95e66cae63b384f15243f01dd75a61e025784
Opcode Fuzzy Hash: e41a242d56c25781a8c8f9712849403c60367eab4f1b8575c238d8bea8a59dc4
Instruction Fuzzy Hash: E561B1B1608311AFD712DF54C888FAABBE8EF49710F00480DF9859B291D770EE48CB92

Function 003A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

Part of subcall function 0032912D: GetCursorPos.USER32(?), ref: 00329141
Part of subcall function 0032912D: ScreenToClient.USER32(00000000,?), ref: 0032915E
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000001), ref: 00329183
Part of subcall function 0032912D: GetAsyncKeyState.USER32(00000002), ref: 0032919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003A8B6B
ImageList_EndDrag.COMCTL32 ref: 003A8B71
ReleaseCapture.USER32 ref: 003A8B77
SetWindowTextW.USER32(?,00000000), ref: 003A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003A8CFF

Strings

@GUI_DRAGFILE, xrefs: 003A8C9A
@GUI_DROPID, xrefs: 003A8C51
p#>, xrefs: 003A8C71

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#>
API String ID: 1924731296-3185979782
Opcode ID: 0ee77d62d8c1082d53d669875ba33cdbc46111b65c9378bedacbcf6b4e805d13
Instruction ID: 6d8e152c6c7f6f91363d3cde11f44012817fb5f19cc14be825740f255798e34c
Opcode Fuzzy Hash: 0ee77d62d8c1082d53d669875ba33cdbc46111b65c9378bedacbcf6b4e805d13
Instruction Fuzzy Hash: 09518B71104344AFD716DF14DC96FAAB7E8FB89710F000629F9925B2E2DB709944CBA2

Function 00383388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003833CF

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003833F0

Strings

Line %d (File "%s"):, xrefs: 00383443, 0038345C
^ ERROR , xrefs: 0038349E
Error: , xrefs: 003834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00383504
"%s" (%d) : ==> %s:, xrefs: 00383522
Incorrect parameters to object property !, xrefs: 003834AB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: a8c17c86e0a1eef93a8986dbf87fe5da21a4c6d52290c1be1325e68f3bfcc97f
Instruction ID: 406d4c963d90edbc833be3ab2fa0f6702bb75f49d5ce557af26be1af7b0e3346
Opcode Fuzzy Hash: a8c17c86e0a1eef93a8986dbf87fe5da21a4c6d52290c1be1325e68f3bfcc97f
Instruction Fuzzy Hash: 3C519372900209AADF1BEBE0DD52EEEB378AF09740F104166F505771A1EB356F98DB60

Function 0037B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0037B5FC
_wcslen.LIBCMT ref: 0037B608
_wcslen.LIBCMT ref: 0037B64D
_wcslen.LIBCMT ref: 0037B68C
_wcslen.LIBCMT ref: 0037B6C7

Strings

APPEND, xrefs: 0037B6C1, 0037B6C6
REMOVE, xrefs: 0037B602, 0037B607
EXISTS, xrefs: 0037B686, 0037B68B
KEYS, xrefs: 0037B647, 0037B64C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: acb68d486a5a1facc77f1860cf2f73ad0ee917a8294c0a667516bf091384247d
Instruction ID: 620dba21e65d8d68c480f3cde6acb0b6214194cbf34cf2116ccd39d98e703bed
Opcode Fuzzy Hash: acb68d486a5a1facc77f1860cf2f73ad0ee917a8294c0a667516bf091384247d
Instruction Fuzzy Hash: 6141FB32A000269BCB315F7DC8907BEF7B5BF64754B268129E629DB284E739CD81C790

Function 00385393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00385416
GetLastError.KERNEL32 ref: 00385420
SetErrorMode.KERNEL32(00000000,READY), ref: 003854A7

Strings

INVALID, xrefs: 00385459
READONLY, xrefs: 00385452
READY, xrefs: 00385460, 00385468
NOTREADY, xrefs: 0038544B
UNKNOWN, xrefs: 00385444

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: da90b20f12debf7b824965ab3ceffc853fe6442a61e22f16fb0fd7a6634008e8
Instruction ID: 09a7c18bf76ce88b0ea177471339cfb1331302021c5820158083bd0acd673575
Opcode Fuzzy Hash: da90b20f12debf7b824965ab3ceffc853fe6442a61e22f16fb0fd7a6634008e8
Instruction Fuzzy Hash: 5131E135A006049FDB12EF69C485BAABBF8EF09305F1480A6E405CF392DB71DD86CB90

Function 003A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 003A3C79
SetMenu.USER32(?,00000000), ref: 003A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A3D10
IsMenu.USER32(?), ref: 003A3D24
CreatePopupMenu.USER32 ref: 003A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A3D5B
DrawMenuBar.USER32 ref: 003A3D63

Strings

0, xrefs: 003A3C54
F, xrefs: 003A3D4E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b2a7bd8b27460f8cbf3ad0f1939dc08c7e2bbc54229ba3892e8ffe6fd954353a
Instruction ID: 242e9487f8dc2f32d9ecffb0d2216fa1237e92df9dcca40224b52c89c228b81a
Opcode Fuzzy Hash: b2a7bd8b27460f8cbf3ad0f1939dc08c7e2bbc54229ba3892e8ffe6fd954353a
Instruction Fuzzy Hash: ED415C75A01209EFDB15CF65D884AEA7BB9FF4B350F150029F946A7360D730AA10CF94

Function 003A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 003A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003A3C13

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 690de11b3905889eb0ed87b37e7dea24f15f61c19fe7440b64a33de492157e7f
Instruction ID: 345e50b8d6201dfe380432ed7b808ff4038b764c5be196add40f54b192348649
Opcode Fuzzy Hash: 690de11b3905889eb0ed87b37e7dea24f15f61c19fe7440b64a33de492157e7f
Instruction Fuzzy Hash: F0616E75900248AFDB12DFA4CC81EEE77F8EB0A710F104159FA15AB2A1D774AE45DB60

Function 0037B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0037B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B165
GetWindowThreadProcessId.USER32(00000000), ref: 0037B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0037B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0037A1E1,?,00000001), ref: 0037B21D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2176be9e5d898cfdd28d21ab300379e0e139450c18c198757a585ed2c5ebaec9
Instruction ID: c55c72d17d9c2de12d05bd1d4fc29bd25e3f10cad6c84977232e7b40351fbe81
Opcode Fuzzy Hash: 2176be9e5d898cfdd28d21ab300379e0e139450c18c198757a585ed2c5ebaec9
Instruction Fuzzy Hash: 4F318071510208AFDB339F24DC88BADBBBDBB52311F158915FA09DB1A1D7B89E408F60

Function 00342C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00342C94

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 00342CA0
_free.LIBCMT ref: 00342CAB
_free.LIBCMT ref: 00342CB6
_free.LIBCMT ref: 00342CC1
_free.LIBCMT ref: 00342CCC
_free.LIBCMT ref: 00342CD7
_free.LIBCMT ref: 00342CE2
_free.LIBCMT ref: 00342CED
_free.LIBCMT ref: 00342CFB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d11f32e01e165487c7a7d64f63247d9917ff0a561e12a3d548216b4cece33b7e
Instruction ID: bb13aa9caa057ae06ce3ec926d111c186d60c291767b76ab802890f083e3fe5f
Opcode Fuzzy Hash: d11f32e01e165487c7a7d64f63247d9917ff0a561e12a3d548216b4cece33b7e
Instruction Fuzzy Hash: 01116476500108AFDB02EF55D982CDE3BA5FF06350F9145A5FA48AF222DB31FA609B90

Function 00387DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00387FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00387FC1
GetFileAttributesW.KERNEL32(?), ref: 00387FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00388005
SetCurrentDirectoryW.KERNEL32(?), ref: 00388017
SetCurrentDirectoryW.KERNEL32(?), ref: 00388060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003880B0

Strings

*.*, xrefs: 00388066

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9785510100a07be37c5a0c71477916787970e7e3eedb7ab1249c02b441982947
Instruction ID: fe9ebdc19d056c24023228d6eecc8c92c7740a34735adeffcb975dc2ab6109ba
Opcode Fuzzy Hash: 9785510100a07be37c5a0c71477916787970e7e3eedb7ab1249c02b441982947
Instruction Fuzzy Hash: 7981B3725183019BCB26FF14C484AAAB3E9BF89310F654C9EF885CB250EB35ED45CB52

Function 00315BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00315C7A

Part of subcall function 00315D0A: GetClientRect.USER32(?,?), ref: 00315D30
Part of subcall function 00315D0A: GetWindowRect.USER32(?,?), ref: 00315D71
Part of subcall function 00315D0A: ScreenToClient.USER32(?,?), ref: 00315D99

GetDC.USER32 ref: 003546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00354708
SelectObject.GDI32(00000000,00000000), ref: 00354716
SelectObject.GDI32(00000000,00000000), ref: 0035472B
ReleaseDC.USER32(?,00000000), ref: 00354733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003547C4

Strings

U, xrefs: 00354693

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8686b60b85eb9cfabdd1d8cf294a1c30472bed5c33e962e84a0102db04b8d506
Instruction ID: b084ea3f957bd6e4fcef5fa87ac8bd5ed95a79a9db212fcdb2ba1a546e61f494
Opcode Fuzzy Hash: 8686b60b85eb9cfabdd1d8cf294a1c30472bed5c33e962e84a0102db04b8d506
Instruction Fuzzy Hash: E971DF34400205DFCF2B8F64C984EEA3BB9FF8A31AF154229ED655A1B6C7318885DF50

Function 0038359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003835E4

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

LoadStringW.USER32(003E2390,?,00000FFF,?), ref: 0038360A

Strings

^ ERROR, xrefs: 003836C9
Line %d (File "%s"):, xrefs: 0038366B
Error: , xrefs: 003836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00383724
"%s" (%d) : ==> %s:, xrefs: 00383742

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6b2763e70c1c577afbdb58708f6a414ef167051f1dfe1fa194f873a2fac1e944
Instruction ID: e9ab9fd0814e2dae6c8ec46505e81b8705aac6d703cd10b38e60db77d25dfe77
Opcode Fuzzy Hash: 6b2763e70c1c577afbdb58708f6a414ef167051f1dfe1fa194f873a2fac1e944
Instruction Fuzzy Hash: C0516371900209BADF1BEBA0DC92EEDBB78EF08700F144166F515761A1EB315AD9DF60

Function 0038C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0038C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0038C2CA
GetLastError.KERNEL32 ref: 0038C322
SetEvent.KERNEL32(?), ref: 0038C336
InternetCloseHandle.WININET(00000000), ref: 0038C341

Strings

, xrefs: 0038C2BB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3a45d61d856f0e0b53bf6d4abefbc0d4862e4ef5e1c84bee9f63bcfa1a739ef2
Instruction ID: c545d755c91ccfddabd3b0144bf0854409234e9c9ecb218e04f037b80bc96424
Opcode Fuzzy Hash: 3a45d61d856f0e0b53bf6d4abefbc0d4862e4ef5e1c84bee9f63bcfa1a739ef2
Instruction Fuzzy Hash: 4231BFB5520304AFDB23AF649C88AAB7BFCEB49740F14955EF446D6200DB79DD058B70

Function 0037989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00353AAF,?,?,Bad directive syntax error,003ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003798BC
LoadStringW.USER32(00000000,?,00353AAF,?), ref: 003798C3

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00379987

Strings

., xrefs: 0037996D
Line %d:, xrefs: 00379912
Line %d (File "%s"):, xrefs: 0037992D
%s (%d) : ==> %s.: %s %s, xrefs: 003798F1
Error: , xrefs: 00379955

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 941760512df86e415a2c6eafafdab37c58ae9826be26b73153f06c0d5c78078b
Instruction ID: 36d9e9b509119ade7c7316b8dfc923a8d58bedb646ee0453084c9078c3576d43
Opcode Fuzzy Hash: 941760512df86e415a2c6eafafdab37c58ae9826be26b73153f06c0d5c78078b
Instruction Fuzzy Hash: 7021B43290021AABDF17AF90CC06FED7779FF19300F044467F5256A0A1DB35A658DB50

Function 0037209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0037214D

Strings

SHELLDLL_DefView, xrefs: 003720CC
list, xrefs: 0037212F
smallicons, xrefs: 00372115
details, xrefs: 003720FB
largeicons, xrefs: 003720E1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76ab3b98cecf527ce6a5ff5192d19e7b86b20812dc774c2d4feee80880f19909
Instruction ID: 46c9bea389af2ed997c0cbf2d56379b63865ff7bffaebb2d92174a5478aa0f3f
Opcode Fuzzy Hash: 76ab3b98cecf527ce6a5ff5192d19e7b86b20812dc774c2d4feee80880f19909
Instruction Fuzzy Hash: 45112977688706B9FA236720EC07DE7779CEB15324F614017FB08A91E1FE6968115614

Function 0034CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0034CEB7
_free.LIBCMT ref: 0034CF22
_free.LIBCMT ref: 0034CF48
_free.LIBCMT ref: 0034CF71
_free.LIBCMT ref: 0034CFA9
_free.LIBCMT ref: 0034CFDA
_free.LIBCMT ref: 0034D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0034D09C
_free.LIBCMT ref: 0034D0B5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 122de3c248298867b580433248c6dc341b767be0465c8d908db8142b138bfe16
Instruction ID: 7d2fe8cea3036ad553d5307598c12303fb1e2fbe4bf288c88cad6fbdf6d6eef8
Opcode Fuzzy Hash: 122de3c248298867b580433248c6dc341b767be0465c8d908db8142b138bfe16
Instruction Fuzzy Hash: 5C613671A05240AFDB27AFB49CC1AAE7BE9EF05310F45426DF940AF292DB35BD448760

Function 00328B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00366890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00328874,00000000,00000000,00000000,000000FF,00000000), ref: 00366901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0036691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00328874,00000000,00000000,00000000,000000FF,00000000), ref: 0036692D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bd9132807dfab4ad2eec8c9a7b03fc7ee4acc25f1f21fabc6cf0a2339a1e0fb4
Instruction ID: 4d7ac276f58b30f22837d8e2a03b0b33b7048c1a4427f0652ae3f2b5e37e9186
Opcode Fuzzy Hash: bd9132807dfab4ad2eec8c9a7b03fc7ee4acc25f1f21fabc6cf0a2339a1e0fb4
Instruction Fuzzy Hash: 80518B70600209EFDB22CF25DC96FAA7BB9FB48750F11851CF9169B2A0DB70E990DB50

Function 0038C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038C182
GetLastError.KERNEL32 ref: 0038C195
SetEvent.KERNEL32(?), ref: 0038C1A9

Part of subcall function 0038C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038C272
Part of subcall function 0038C253: GetLastError.KERNEL32 ref: 0038C322
Part of subcall function 0038C253: SetEvent.KERNEL32(?), ref: 0038C336
Part of subcall function 0038C253: InternetCloseHandle.WININET(00000000), ref: 0038C341

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 795a64b7de0942673073107d226c5217083d20887b31397428e7e0fbc16e77d7
Instruction ID: e93fa5c0a7692a7399dc694e06562ab6481aaa19c3edf8ee12cf089b88976110
Opcode Fuzzy Hash: 795a64b7de0942673073107d226c5217083d20887b31397428e7e0fbc16e77d7
Instruction Fuzzy Hash: A5318B71220705AFDB22AFB59C48A66BBECFF59300B04A95DF95686660CB31E810DB70

Function 003725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00372601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00372605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0037260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00372623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00372627

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 779252e412be25208ea94b415c6dc8d3bcc0302c16cd03c57aa61b6ac1930e77
Instruction ID: 8fd40ce7c482f82689813b16f083d64112a08db46f2b5e06c71f84b70291b547
Opcode Fuzzy Hash: 779252e412be25208ea94b415c6dc8d3bcc0302c16cd03c57aa61b6ac1930e77
Instruction Fuzzy Hash: F901D4313A0210BBFB2167689C8AF5A7F5DDB4FB12F105001F358AE0E1C9E224459A6A

Function 00371803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00371449,?,?,00000000), ref: 0037180C
HeapAlloc.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 00371813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371449,?,?,00000000), ref: 00371828
GetCurrentProcess.KERNEL32(?,00000000,?,00371449,?,?,00000000), ref: 00371830
DuplicateHandle.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 00371833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00371449,?,?,00000000), ref: 00371843
GetCurrentProcess.KERNEL32(00371449,00000000,?,00371449,?,?,00000000), ref: 0037184B
DuplicateHandle.KERNEL32(00000000,?,00371449,?,?,00000000), ref: 0037184E
CreateThread.KERNEL32(00000000,00000000,00371874,00000000,00000000,00000000), ref: 00371868

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3ab289418b16af52884578bd551f9eedaab7ac76699b5e6d7cf0ac1ce16ebd3a
Instruction ID: 8331d45eac7f098c407f92262cbdacff6a952fbcb8d0021e8ca207b3e2bf960f
Opcode Fuzzy Hash: 3ab289418b16af52884578bd551f9eedaab7ac76699b5e6d7cf0ac1ce16ebd3a
Instruction Fuzzy Hash: 0701BBB5350308BFE711ABA5DC4DF6B3BACEB8AB11F009411FA05DB1A1DA749800CB20

Function 0039A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0037D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0037D501
Part of subcall function 0037D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0037D50F
Part of subcall function 0037D4DC: CloseHandle.KERNEL32(00000000), ref: 0037D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039A16D
GetLastError.KERNEL32 ref: 0039A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0039A268
GetLastError.KERNEL32(00000000), ref: 0039A273
CloseHandle.KERNEL32(00000000), ref: 0039A2C4

Strings

SeDebugPrivilege, xrefs: 0039A18F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b7efdb08954c4720dad392aeff5dc1995e8f0c33298db8f6c59bce149e393872
Instruction ID: 9bcc84201c37b0f3fddd9148d2fa3df5cd03b7bad98a25319dafd24160e8cd67
Opcode Fuzzy Hash: b7efdb08954c4720dad392aeff5dc1995e8f0c33298db8f6c59bce149e393872
Instruction Fuzzy Hash: 71619D312086019FDB26DF14C494F16BBE5AF44318F15858CE4A64F7A2C776EC85CBC2

Function 003A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A3954
_wcslen.LIBCMT ref: 003A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A39F4

Strings

SysListView32, xrefs: 003A38F7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fb8e030e24981f341bb58468337382d815a67ced1a1284031cb6273e981ff13b
Instruction ID: 002742c7238798ad80f3cd3005606b171788c74dd0cc19b4cdc11453cca7a870
Opcode Fuzzy Hash: fb8e030e24981f341bb58468337382d815a67ced1a1284031cb6273e981ff13b
Instruction Fuzzy Hash: 3541C471A00218ABEF22DF64CC45FEA77A9EF09350F11012AF958E7291D7759E84CB90

Function 0037BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0037BCFD
IsMenu.USER32(00000000), ref: 0037BD1D
CreatePopupMenu.USER32 ref: 0037BD53
GetMenuItemCount.USER32(00CB5788), ref: 0037BDA4
InsertMenuItemW.USER32(00CB5788,?,00000001,00000030), ref: 0037BDCC

Strings

0, xrefs: 0037BCA8
2, xrefs: 0037BD37

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 07a7e00b1a765aa3d10118cfe5fb0aac7930aff6866a8c24514f0673d99ecd21
Instruction ID: cf18c1009414be335cb378186a698aa87091904b3906ae7ed3158ae035c2bcc4
Opcode Fuzzy Hash: 07a7e00b1a765aa3d10118cfe5fb0aac7930aff6866a8c24514f0673d99ecd21
Instruction Fuzzy Hash: 6C519E70A00205DFDB32CFA9D888BAEFBF8AF45314F14C119E419DB291E7789940CB51

Function 00332D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00332D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00332D53
_ValidateLocalCookies.LIBCMT ref: 00332DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00332E0C
_ValidateLocalCookies.LIBCMT ref: 00332E61

Strings

csm, xrefs: 00332DF6
&H3, xrefs: 00332DFE, 00332E07, 00332E18

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H3$csm
API String ID: 1170836740-2036257025
Opcode ID: 5677792864fe45bdc268785d9597099847739f1deb3667fcf7ff9c3a9c7030cf
Instruction ID: ff332842e82468fc91a31a3be7b968ecbfe46aa47d9b373c98eab4496ccac1b8
Opcode Fuzzy Hash: 5677792864fe45bdc268785d9597099847739f1deb3667fcf7ff9c3a9c7030cf
Instruction Fuzzy Hash: E9419234A00209EBCF12DF68C8C5A9FBBB5BF44325F158155E925AB3A2D735EA05CBD0

Function 0037C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0037C913

Strings

stop, xrefs: 0037C8E4
question, xrefs: 0037C8CC
blank, xrefs: 0037C895
info, xrefs: 0037C8B4
warning, xrefs: 0037C8FC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b8c7ece9b42f42046677da230bc8180965a367bab7961570aa99e3d85792e2bd
Instruction ID: 39f66283681286dcbd79efe0b84d92b5529d267bbd28b03dcf84dab5c8b309af
Opcode Fuzzy Hash: b8c7ece9b42f42046677da230bc8180965a367bab7961570aa99e3d85792e2bd
Instruction Fuzzy Hash: 92110D3269930ABAE7135B54AC83CEA679CDF16354F11502FF608A6282D7796D005365

Function 0037DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0037DE42
gethostname.WSOCK32(?,00000100), ref: 0037DE5C
gethostbyname.WSOCK32(?), ref: 0037DE69
inet_ntoa.WSOCK32(?), ref: 0037DEAB
_strcat.LIBCMT ref: 0037DEB9
WSACleanup.WSOCK32 ref: 0037DEDE

Strings

0.0.0.0, xrefs: 0037DE87

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b11ffa0cb3433dea763a8fb4613b8ee9a22250eb779921b16d8fa7efb4846f42
Instruction ID: 848eb7de30d4107532ece559c9a5faecf48be81136e62e1f0262d8c2f85f0da0
Opcode Fuzzy Hash: b11ffa0cb3433dea763a8fb4613b8ee9a22250eb779921b16d8fa7efb4846f42
Instruction Fuzzy Hash: 9A110631904114AFDB37AB60DC4AEEE77BCDF15711F014169F449AA091EF799A818A90

Function 0037ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0037ED2A
_wcslen.LIBCMT ref: 0037ED3B
_wcslen.LIBCMT ref: 0037ED79
_wcslen.LIBCMT ref: 0037EDAF
_wcslen.LIBCMT ref: 0037EDDF
_wcslen.LIBCMT ref: 0037EDEF
_wcslen.LIBCMT ref: 0037EE2B
_wcslen.LIBCMT ref: 0037EE5A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 56bcc976600a830ed19da45162c9cef838ae35e416cc77fb3d0d7f2932d9117e
Instruction ID: 4ca75ce00e959fcc92bb15df232174a8cd15b65959d9ab9542302445b560aa98
Opcode Fuzzy Hash: 56bcc976600a830ed19da45162c9cef838ae35e416cc77fb3d0d7f2932d9117e
Instruction Fuzzy Hash: D1418665C1111875CB23EBF488CAACF77A8AF49710F508962F518E7522FB38E255C3E5

Function 0032F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0032F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0036F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 0036F454

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ef48511f586ba84103c554bec76b8faac1a72f22d0e198c548b3072c2274b1d1
Instruction ID: 276f54d1f227dd425832ecde16e335d5e401024626c37e180203ebd4d6bea740
Opcode Fuzzy Hash: ef48511f586ba84103c554bec76b8faac1a72f22d0e198c548b3072c2274b1d1
Instruction Fuzzy Hash: D8413E31608690BEC73B9B2DF88872A7BF9AF57314F15853CE04756A65D732A8C0CB51

Function 003A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003A2D1B
GetDC.USER32(00000000), ref: 003A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 003A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003A2DE1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c5470441022d08901e1127d1912b9a5a82936ec3faa9452578a96351ef0a0bcb
Instruction ID: 3cc283c23c4db994cffed34ca467cfc6dc98b2bc00c7f59a26f143195e42a9b4
Opcode Fuzzy Hash: c5470441022d08901e1127d1912b9a5a82936ec3faa9452578a96351ef0a0bcb
Instruction Fuzzy Hash: 77318E72211214BFEB128F54CC8AFEB3FADEF0A715F084055FE089A2A1C6759C50CBA4

Function 00375622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00375637
_memcmp.LIBVCRUNTIME ref: 00375659
_memcmp.LIBVCRUNTIME ref: 00375671
_memcmp.LIBVCRUNTIME ref: 00375684
_memcmp.LIBVCRUNTIME ref: 0037569E
_memcmp.LIBVCRUNTIME ref: 003756B1
_memcmp.LIBVCRUNTIME ref: 003756C9
_memcmp.LIBVCRUNTIME ref: 003756E4

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e2de278fd0ae2529d6f8bf3f9165d50a3afb95e36a842e4b20204c19837bd703
Instruction ID: 0aa5d85636d68dea035a485b1883c4cc2dbce511f9437f61849a569aef761ace
Opcode Fuzzy Hash: e2de278fd0ae2529d6f8bf3f9165d50a3afb95e36a842e4b20204c19837bd703
Instruction Fuzzy Hash: AB21C965641A097BD62F55218DC2FFA335CEF213A5F448024FD0C9EA81FBA9EE10C1E5

Function 00394FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0039502E, 00395383
Not an Object type, xrefs: 00395007

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: acfdb415fb488578fb36de9ed4836c7ad82bcf2383c4934e242bacc07f075fff
Instruction ID: 9415d20797a0df83cd092b292889465f6df79499a7778873b348a819a08a3707
Opcode Fuzzy Hash: acfdb415fb488578fb36de9ed4836c7ad82bcf2383c4934e242bacc07f075fff
Instruction Fuzzy Hash: F4D1C275A0060A9FDF12CFA8C881FAEB7B5FF48344F158469E915AB281E770DD85CB90

Function 00351522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00351651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003517FB,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003516FB

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00351777
__freea.LIBCMT ref: 003517A2
__freea.LIBCMT ref: 003517AE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6bcc74c318f6a4ea598061f2f0fe5f172ff3b3c56f2c122c9196230ae6d96a0c
Instruction ID: bce1a18e6f6a18c81261f6a5678c8017f0b6ecb667bde467e1bce8a60c2e0888
Opcode Fuzzy Hash: 6bcc74c318f6a4ea598061f2f0fe5f172ff3b3c56f2c122c9196230ae6d96a0c
Instruction Fuzzy Hash: 5A91B771E102169ADF228E74C881FEE7BF99F4A311F194659EC01EB161E735DD48C760

Function 00394523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00394648
VariantInit.OLEAUT32(?), ref: 00394749
VariantClear.OLEAUT32(?), ref: 00394753
VariantClear.OLEAUT32(?), ref: 003947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003945D8, 00394706, 003947BE
Incorrect Object type in FOR..IN loop, xrefs: 0039472C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6cb40cd5b271e69ee7a6e9bb588d7b7b390dd9dbf294aa2034b363b67969f1f1
Instruction ID: 5ffb0e917ac9a2e8df5af16eb01f7b4a151064bf944f6bb42dff792243bd1eb1
Opcode Fuzzy Hash: 6cb40cd5b271e69ee7a6e9bb588d7b7b390dd9dbf294aa2034b363b67969f1f1
Instruction Fuzzy Hash: CC91DF71A00219AFDF26CFA4DC84FAEBBB8EF46714F118559F515AB280D7709942CFA0

Function 00381187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0038125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00381284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0038135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00381430

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 88b6d679fcf235ff4b75c56ed3694bcaf461412bf1ac2cc439bff809c9fd7f84
Instruction ID: a2d2bd829243b6210d4720c67533b5c575ce41116b6e74af672275805d6a34c9
Opcode Fuzzy Hash: 88b6d679fcf235ff4b75c56ed3694bcaf461412bf1ac2cc439bff809c9fd7f84
Instruction Fuzzy Hash: 11910275A003189FDB02EFA5C885BBEB7BDFF45311F2144A9E900EB291D774A946CB90

Function 0032948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4fc2245ff6cf2956701cd54b3847e24f6ad24b4a9b20831fb31d561d7c0835e6
Instruction ID: 9f8c9a141f52edbc7715a635a4439b8169086196aee05907bf59da6d41265dfd
Opcode Fuzzy Hash: 4fc2245ff6cf2956701cd54b3847e24f6ad24b4a9b20831fb31d561d7c0835e6
Instruction Fuzzy Hash: 74915A71E00219EFCB12CFA9DC84AEEBBB8FF49320F248556E515B7251D374A941CBA0

Function 00393947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0039396B
CharUpperBuffW.USER32(?,?), ref: 00393A7A
_wcslen.LIBCMT ref: 00393A8A
VariantClear.OLEAUT32(?), ref: 00393C1F

Part of subcall function 00380CDF: VariantInit.OLEAUT32(00000000), ref: 00380D1F
Part of subcall function 00380CDF: VariantCopy.OLEAUT32(?,?), ref: 00380D28
Part of subcall function 00380CDF: VariantClear.OLEAUT32(?), ref: 00380D34

Strings

Incorrect Parameter format, xrefs: 003939A6, 00393BA1
AUTOIT.ERROR, xrefs: 00393A80, 00393A85

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 88229b09c349c12095ef0ec278bcdd2ed85f6a9b7f83b58bf5dcdc65c1a026eb
Instruction ID: 2948180dc5c82a814d402213f7c183f6bd58aa69a2bd75d65270526b7eec3f36
Opcode Fuzzy Hash: 88229b09c349c12095ef0ec278bcdd2ed85f6a9b7f83b58bf5dcdc65c1a026eb
Instruction Fuzzy Hash: 61917AB56083059FCB15EF28C48096AB7E5FF89314F14886EF8899B351DB30EE45CB92

Function 00394BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0037000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?,?,0037035E), ref: 0037002B
Part of subcall function 0037000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370046
Part of subcall function 0037000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370054
Part of subcall function 0037000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?), ref: 00370064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00394C51
_wcslen.LIBCMT ref: 00394D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00394DCF
CoTaskMemFree.OLE32(?), ref: 00394DDA

Strings

NULL Pointer assignment, xrefs: 00394E23, 00394E52

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 87f25bb7fca9677a0c0293d96d968a0fb168f992b5c4c4c65325a0bcd1b424de
Instruction ID: 82a0a6a888c8d4ec163e0cc11fa054072778ad520e6530cb186587795ab6da98
Opcode Fuzzy Hash: 87f25bb7fca9677a0c0293d96d968a0fb168f992b5c4c4c65325a0bcd1b424de
Instruction Fuzzy Hash: 66911971D0021DAFDF16DFA4D891EEEB7B8BF08314F10816AE919AB251DB349A45CF60

Function 003A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003A2183
GetMenuItemCount.USER32(00000000), ref: 003A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003A21DD
_wcslen.LIBCMT ref: 003A2213
GetMenuItemID.USER32(?,?), ref: 003A224D
GetSubMenu.USER32(?,?), ref: 003A225B

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003A22E3

Part of subcall function 0037E97B: Sleep.KERNELBASE ref: 0037E9F3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9367d5e3ff3055d130e75a4e59eb5bd72e5109cfb405c4db7f3b126cddaecc18
Instruction ID: 11785bc89545238f62ef4df1d945fc194875c4d8891c7bbc3cd91b64e69c9590
Opcode Fuzzy Hash: 9367d5e3ff3055d130e75a4e59eb5bd72e5109cfb405c4db7f3b126cddaecc18
Instruction Fuzzy Hash: 0671AE35E00205AFCB16DF68C885AAEB7F5EF4A310F158869E816EB351DB34ED418B90

Function 0037AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0037AEF9
GetKeyboardState.USER32(?), ref: 0037AF0E
SetKeyboardState.USER32(?), ref: 0037AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0037AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0037AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0037AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0037B020

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8d1f663d9dd214c9344414dd104e805976d4e35087f6e058fe34fa0cb2deeb1d
Instruction ID: 8033748475277e10b266cacdf13e4f90de1032faf9dd9fa0223805141bad055f
Opcode Fuzzy Hash: 8d1f663d9dd214c9344414dd104e805976d4e35087f6e058fe34fa0cb2deeb1d
Instruction Fuzzy Hash: EA51C1A0608BD53DFB3782348C45BBEBEA95B46304F09C589E1DD998D3C39CA8C8D751

Function 0037ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0037AD19
GetKeyboardState.USER32(?), ref: 0037AD2E
SetKeyboardState.USER32(?), ref: 0037AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0037ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0037ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0037AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0037AE38

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 781b798a80e7bf418df587b3673d98b05150660bca51391275588b69b66ac91d
Instruction ID: d96feb643019a4a92d66b58b5b88541b055ba69e38c36c04de773f2610a87887
Opcode Fuzzy Hash: 781b798a80e7bf418df587b3673d98b05150660bca51391275588b69b66ac91d
Instruction Fuzzy Hash: 0C51C5A1504BD53DFB3783248C95BBEBEA95B86300F09C589E1DD4ACC2D298EC84E752

Function 0034542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00353CD6,?,?,?,?,?,?,?,?,00345BA3,?,?,00353CD6,?,?), ref: 00345470
__fassign.LIBCMT ref: 003454EB
__fassign.LIBCMT ref: 00345506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00353CD6,00000005,00000000,00000000), ref: 0034552C
WriteFile.KERNEL32(?,00353CD6,00000000,00345BA3,00000000,?,?,?,?,?,?,?,?,?,00345BA3,?), ref: 0034554B
WriteFile.KERNEL32(?,?,00000001,00345BA3,00000000,?,?,?,?,?,?,?,?,?,00345BA3,?), ref: 00345584

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 576060c0391efed49ec2fe26d2a1137c1f5a69119bf767cee60a8025e9ad21ab
Instruction ID: 6ffc90bcb73c0149ed2512cc1caac314f3f514ab83c24c8941f00e274866f657
Opcode Fuzzy Hash: 576060c0391efed49ec2fe26d2a1137c1f5a69119bf767cee60a8025e9ad21ab
Instruction Fuzzy Hash: 2151DA71E006459FDB12CFA8D885AEEBBF9EF09300F14415AF556EB292D730EA41CB60

Function 003910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
Part of subcall function 0039304E: _wcslen.LIBCMT ref: 0039309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00391112
WSAGetLastError.WSOCK32 ref: 00391121
WSAGetLastError.WSOCK32 ref: 003911C9
closesocket.WSOCK32(00000000), ref: 003911F9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: ef9cfde24b0c5ff1e649ec4c21c18a86b0f36053f9719f500fc9c80568107b83
Instruction ID: db489137c2c9cf77f121beba70e8b19020a7fdf3428d64d8fa846730ce669b2c
Opcode Fuzzy Hash: ef9cfde24b0c5ff1e649ec4c21c18a86b0f36053f9719f500fc9c80568107b83
Instruction Fuzzy Hash: 4E41F231600205AFDB129F14C885BAABBEDFF45324F148059F916AF291C774ED81CBA0

Function 0037CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0037CF22,?), ref: 0037DDFD

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0037CF22,?), ref: 0037DE16

lstrcmpiW.KERNEL32(?,?), ref: 0037CF45
MoveFileW.KERNEL32(?,?), ref: 0037CF7F
_wcslen.LIBCMT ref: 0037D005
_wcslen.LIBCMT ref: 0037D01B
SHFileOperationW.SHELL32(?), ref: 0037D061

Strings

\*.*, xrefs: 0037CFF3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 436368028deb9f2250e11a0eaf0d6a8eced10b9a4190030a06a9d4c40e7508d7
Instruction ID: 249fb4ef1859c40d490b16882fed49eecda91a82323dd7144d7a7e74ec4e1e69
Opcode Fuzzy Hash: 436368028deb9f2250e11a0eaf0d6a8eced10b9a4190030a06a9d4c40e7508d7
Instruction Fuzzy Hash: 964156719452185FDF27EFA4C981BDEB7BCAF09380F0050EAE509EB141EB38A684CB50

Function 003A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 003A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 003A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 003A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 003A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 003A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A2F0B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3d45cc20f5b105990761f5dbea5501f5db778089d44a71a36354300ebabdbc88
Instruction ID: d274d429bea3cd7026f82145e9844d278191401c9fc906ee39a554c346ced8dd
Opcode Fuzzy Hash: 3d45cc20f5b105990761f5dbea5501f5db778089d44a71a36354300ebabdbc88
Instruction Fuzzy Hash: E131E331645290AFDB22CF5CDC84F6677E9EB9A710F1A1164F9458F2B2CB71AC80DB81

Function 00377726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037778F
SysAllocString.OLEAUT32(00000000), ref: 00377792
SysAllocString.OLEAUT32(?), ref: 003777B0
SysFreeString.OLEAUT32(?), ref: 003777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003777DE
SysAllocString.OLEAUT32(?), ref: 003777EC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 54650dec37e86b7efeecde5469eaf463338364dd8a491732f090afbf363151b1
Instruction ID: 80452065c314c4baab8e0fb9b0384b3ce5d698c23d1ee028d482b346a336483c
Opcode Fuzzy Hash: 54650dec37e86b7efeecde5469eaf463338364dd8a491732f090afbf363151b1
Instruction Fuzzy Hash: F521C176604219AFDF26EFA8DC88CBB77ECEB09764B018025FA18DB150D678DC42C764

Function 003777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00377868
SysAllocString.OLEAUT32(00000000), ref: 0037786B
SysAllocString.OLEAUT32 ref: 0037788C
SysFreeString.OLEAUT32 ref: 00377895
StringFromGUID2.OLE32(?,?,00000028), ref: 003778AF
SysAllocString.OLEAUT32(?), ref: 003778BD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: be13756d7fba7ba85e2928fbcf5e4c2b5eb6aac944eee733e2691d4bd48a4f02
Instruction ID: cbe62b32c2c1126ee86efa13d43ef13249898d0619c8dad76af9248e40e1ba3b
Opcode Fuzzy Hash: be13756d7fba7ba85e2928fbcf5e4c2b5eb6aac944eee733e2691d4bd48a4f02
Instruction Fuzzy Hash: 8D219231604114BFDB229FA8DC8DDBA77ECEB09760B118125F919CB2A1D678DC41CB65

Function 003804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0038052E

Strings

nul, xrefs: 00380567

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11fcf00f335c4201125611b534d4bbaccb8899aaa7a1a575f3a2089508ba172f
Instruction ID: f9496aa905aa850d0b84b009e29781a789b7e7a3a66a01e0ddcb2f958c20dad0
Opcode Fuzzy Hash: 11fcf00f335c4201125611b534d4bbaccb8899aaa7a1a575f3a2089508ba172f
Instruction Fuzzy Hash: E5218D75604305AFDF66AF29DC04A9A77E8AF46724F204A59F8A1E62E0D7709948CF30

Function 003805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00380601

Strings

nul, xrefs: 00380639

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cc6e931550db51e6744893e69358e490d4c325bebcff45cec3524e23747821d6
Instruction ID: 0d51bc098537156491060a821f4f8d537bc82c9004f4a7d407c3cf69c9b563f1
Opcode Fuzzy Hash: cc6e931550db51e6744893e69358e490d4c325bebcff45cec3524e23747821d6
Instruction Fuzzy Hash: 892181755003059FDB66AF69DC04A9A77E8FF95720F200B59F8B1E72E0E7B09964CB20

Function 003A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0031600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
Part of subcall function 0031600E: GetStockObject.GDI32(00000011), ref: 00316060
Part of subcall function 0031600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003A4145

Strings

Msctls_Progress32, xrefs: 003A40E3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a331980ab599dc6c107113c5625a9517a9a4ea398c41c1bd8475496b76c9ed57
Instruction ID: bf92ef92986be9c1ae7278464dead3a530ea8925ffd520157329b7d0a039d90d
Opcode Fuzzy Hash: a331980ab599dc6c107113c5625a9517a9a4ea398c41c1bd8475496b76c9ed57
Instruction Fuzzy Hash: 701186B21502197EEF129F64CC85EE77F5DEF09798F014111F618A6150C6729C61DBA4

Function 0034D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0034D7A3: _free.LIBCMT ref: 0034D7CC

_free.LIBCMT ref: 0034D82D

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034D838
_free.LIBCMT ref: 0034D843
_free.LIBCMT ref: 0034D897
_free.LIBCMT ref: 0034D8A2
_free.LIBCMT ref: 0034D8AD
_free.LIBCMT ref: 0034D8B8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 37ca7f8112f71bc9b53cca9a64b8ba15ab77d107309a7493c827c86788d66c6a
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D311FE71541B04ABEA23BFB1CC47FCB7FDCAF05700F804825B299AE692DB76B5158660

Function 0037DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0037DA74
LoadStringW.USER32(00000000), ref: 0037DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037DA91
LoadStringW.USER32(00000000), ref: 0037DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0037DAB9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 49917c9edaa606f9f72419bcd69ed9db4fdcd19feb091e832a7a7fb46d298874
Instruction ID: 3fb2a7a70f6fa29c08c16f89f5213c7fe42bbdaff3de18faab0ec4416092e55f
Opcode Fuzzy Hash: 49917c9edaa606f9f72419bcd69ed9db4fdcd19feb091e832a7a7fb46d298874
Instruction Fuzzy Hash: 0C0186F69102087FE752DBA49D89EE7337CEB09301F405496F74AE2041EA749E844F74

Function 0038096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CAEBD0,00CAEBD0), ref: 0038097B
EnterCriticalSection.KERNEL32(00CAEBB0,00000000), ref: 0038098D
TerminateThread.KERNEL32(?,000001F6), ref: 0038099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003809A9
CloseHandle.KERNEL32(?), ref: 003809B8
InterlockedExchange.KERNEL32(00CAEBD0,000001F6), ref: 003809C8
LeaveCriticalSection.KERNEL32(00CAEBB0), ref: 003809CF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ae055fdac832c652f0c3687539f956e32b432c75989e88def6066dca8a5d3cf0
Instruction ID: 67ff55ff74b21d1c9d49be40962298fb3235257c92861f5174b657ab5cee1d0a
Opcode Fuzzy Hash: ae055fdac832c652f0c3687539f956e32b432c75989e88def6066dca8a5d3cf0
Instruction Fuzzy Hash: 83F03131552602BBDB475F94EE8CBD67B39FF02702F402415F101508B0CB749465CF90

Function 00391C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00391DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00391DE1
WSAGetLastError.WSOCK32 ref: 00391DF2
htons.WSOCK32(?,?,?,?,?), ref: 00391EDB
inet_ntoa.WSOCK32(?), ref: 00391E8C

Part of subcall function 003739E8: _strlen.LIBCMT ref: 003739F2

Part of subcall function 00393224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0038EC0C), ref: 00393240

_strlen.LIBCMT ref: 00391F35

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 76e8309fafc102392cbb0cc041264d0982acd78abe9a16f962ac98491a7d9864
Instruction ID: 4a4041a7077fd3fdc4e203e9e391e7649057a024cec4898352ed93a37fbbc215
Opcode Fuzzy Hash: 76e8309fafc102392cbb0cc041264d0982acd78abe9a16f962ac98491a7d9864
Instruction Fuzzy Hash: F7B10431204301AFC72ADF24C885E6AB7E5AF85318F55894CF4566F2E2DB31ED42CB91

Function 00315D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00315D30
GetWindowRect.USER32(?,?), ref: 00315D71
ScreenToClient.USER32(?,?), ref: 00315D99
GetClientRect.USER32(?,?), ref: 00315ED7
GetWindowRect.USER32(?,?), ref: 00315EF8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 88167593cda60d749958dc92a24b6b444a18e42794f4872199af86499d3ad947
Instruction ID: 687cefc758d6a0809d7607a6a93973f7e576652c78c55a03d10fdafd39c40f7a
Opcode Fuzzy Hash: 88167593cda60d749958dc92a24b6b444a18e42794f4872199af86499d3ad947
Instruction Fuzzy Hash: B4B18C34A0074ADBDB19CFA9C440BEEB7F5FF58310F14941AE8A9D7650D730AA91DB50

Function 003401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003400D6
__allrem.LIBCMT ref: 003400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0034010B
__allrem.LIBCMT ref: 00340122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00340140

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a47e604d2aba9e65b2803f220fc7028ef7fd942a5dbc0c70af93b9ed3ccbe132
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: AB811875B007069FE726AE38CC81B6BB3E8AF41724F25463AF951DF691E770E9008B50

Function 003461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003382D9,003382D9,?,?,?,0034644F,00000001,00000001,8BE85006), ref: 00346258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0034644F,00000001,00000001,8BE85006,?,?,?), ref: 003462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003463D8
__freea.LIBCMT ref: 003463E5

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

__freea.LIBCMT ref: 003463EE
__freea.LIBCMT ref: 00346413

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9a3bf86fd6d7c7264359e9d5201354498ed834dd199f17cb771382e9d0938f57
Instruction ID: 1b52ecb773cf204e6876e131949c37378604c9a6bff5168a47d2b470ea830e7b
Opcode Fuzzy Hash: 9a3bf86fd6d7c7264359e9d5201354498ed834dd199f17cb771382e9d0938f57
Instruction Fuzzy Hash: 4B51E172600256ABDB278F64CC82EAF77E9EB46710F164669FC05DF1A0DB34EC40C6A1

Function 0039BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039BD25
RegCloseKey.ADVAPI32(00000000), ref: 0039BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0039BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039BDF3
RegCloseKey.ADVAPI32(?), ref: 0039BDFF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a4d308a8de6e5a8f39a816c151bd4abec0753772622ca8e1e6966048ab454b76
Instruction ID: 17783fb155fbafc2bef0f238ef4f9938171e1503f1e84b89b477ddd57a4fcc5e
Opcode Fuzzy Hash: a4d308a8de6e5a8f39a816c151bd4abec0753772622ca8e1e6966048ab454b76
Instruction Fuzzy Hash: D481C130208241EFCB16DF24D995E6ABBE9FF85308F14855CF4594B2A2DB31ED45CB92

Function 0036F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0036F7B9
SysAllocString.OLEAUT32(00000001), ref: 0036F860
VariantCopy.OLEAUT32(0036FA64,00000000), ref: 0036F889
VariantClear.OLEAUT32(0036FA64), ref: 0036F8AD
VariantCopy.OLEAUT32(0036FA64,00000000), ref: 0036F8B1
VariantClear.OLEAUT32(?), ref: 0036F8BB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e1a775a63560e2cca6c2574fae9d5a948a7fa29104c07065f28f33d78ddc1eba
Instruction ID: d3266666cf62fc6001aa705de872bd423ee997609ea2d9e2c31adb5d451bf6e6
Opcode Fuzzy Hash: e1a775a63560e2cca6c2574fae9d5a948a7fa29104c07065f28f33d78ddc1eba
Instruction Fuzzy Hash: D451B631610310BECF16AB66E895B69B3E9EF49310F24D467E905DF299DB708C40CB56

Function 0038910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003894E5
_wcslen.LIBCMT ref: 00389506
_wcslen.LIBCMT ref: 0038952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00389585

Strings

X, xrefs: 00389412

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 25ff3bf90ba683bbe2a2052ac8ac880bc93ca6e62b2ebe5ebd891b2308ce3aec
Instruction ID: ec993424c41632df6c0ba22957239826a81fdc514cb69505cd514b9db836bf4b
Opcode Fuzzy Hash: 25ff3bf90ba683bbe2a2052ac8ac880bc93ca6e62b2ebe5ebd891b2308ce3aec
Instruction Fuzzy Hash: 53E1B631504300DFC716EF24C881BAAB7E5BF89314F1989AEF8999B2A1DB31DD45CB91

Function 0032920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

BeginPaint.USER32(?,?,?), ref: 00329241
GetWindowRect.USER32(?,?), ref: 003292A5
ScreenToClient.USER32(?,?), ref: 003292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003292D3
EndPaint.USER32(?,?,?,?,?), ref: 00329321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003671EA

Part of subcall function 00329339: BeginPath.GDI32(00000000), ref: 00329357

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ae9549984efebd867e75da1632f670ae8f932893cc3838f32bf46d4541071281
Instruction ID: 7b9e3d87eb4504d6a2e47ae57c1a29ebc3e06d4a0967a152dfedaa1899c6faa7
Opcode Fuzzy Hash: ae9549984efebd867e75da1632f670ae8f932893cc3838f32bf46d4541071281
Instruction Fuzzy Hash: 4E41B231104310AFD722DF25DC84FBA7BBCEB4A724F14062AF9948B2E2C7319845DB61

Function 003807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0038080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00380847
EnterCriticalSection.KERNEL32(?), ref: 00380863
LeaveCriticalSection.KERNEL32(?), ref: 003808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00380921

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 325ddb8e73d4adddbbd77a3d0c2629d70fac3e77681e49e156758455327dacda
Instruction ID: d0378aa5fb95d12d72e4d30508282c34293e6dd70d89b4c4c333780b22fc75e5
Opcode Fuzzy Hash: 325ddb8e73d4adddbbd77a3d0c2629d70fac3e77681e49e156758455327dacda
Instruction Fuzzy Hash: 87414C71A00205EFDF16AF54DC85A6AB778FF05310F1540A9ED00AE296D730DE55DBA0

Function 003A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0036F3AB,00000000,?,?,00000000,?,0036682C,00000004,00000000,00000000), ref: 003A824C
EnableWindow.USER32(?,00000000), ref: 003A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003A82D1
ShowWindow.USER32(?,00000004), ref: 003A82E5
EnableWindow.USER32(?,00000001), ref: 003A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003A832F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d5db8c31fc30e1a12413067f7b2623851f0ec581047100390700f68e1fbbff9d
Instruction ID: ec6947bf2337505dd910e8695a9e22b4e8dddf150a29ddb89497c2b4888c6ea5
Opcode Fuzzy Hash: d5db8c31fc30e1a12413067f7b2623851f0ec581047100390700f68e1fbbff9d
Instruction Fuzzy Hash: 1C418038601644EFDF27CF15D899BA47BF4FB0B714F1952A9E6484F2A2CB31A851CB90

Function 00374C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00374C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00374CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00374CEA
_wcslen.LIBCMT ref: 00374D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00374D10
_wcsstr.LIBVCRUNTIME ref: 00374D1A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3f7f4d0e758860bc2e34d9388c307af7600182f0e7f791d3b751903187e61665
Instruction ID: a691cd891e489e9bd3c4155da78c35ec689b67eaa78c43d28ee8494f1ba13b62
Opcode Fuzzy Hash: 3f7f4d0e758860bc2e34d9388c307af7600182f0e7f791d3b751903187e61665
Instruction Fuzzy Hash: 5F21DA31204115BBEB379B39AC45E7BBBACDF46750F158079F809CA162EB65EC0096A0

Function 0038581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00313AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00313A97,?,?,00312E7F,?,?,?,00000000), ref: 00313AC2

_wcslen.LIBCMT ref: 0038587B
CoInitialize.OLE32(00000000), ref: 00385995
CoCreateInstance.OLE32(003AFCF8,00000000,00000001,003AFB68,?), ref: 003859AE
CoUninitialize.OLE32 ref: 003859CC

Strings

.lnk, xrefs: 00385876, 003858C1, 00385985

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 48d25542c5b3aaae93b7807021ea767039ab4a69b8ab5b6731072a8b2edc19b2
Instruction ID: ae4cb3e50489c58f211d00b3502c38c141b8ba52e29302e0549ef7f5a8c88095
Opcode Fuzzy Hash: 48d25542c5b3aaae93b7807021ea767039ab4a69b8ab5b6731072a8b2edc19b2
Instruction Fuzzy Hash: B9D154756087019FC71AEF24C480A6ABBF6EF89710F154899F88A9B361D731EC45CB92

Function 0037175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00370FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00370FCA
Part of subcall function 00370FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00370FD6
Part of subcall function 00370FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00370FE5
Part of subcall function 00370FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00370FEC
Part of subcall function 00370FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00371002

GetLengthSid.ADVAPI32(?,00000000,00371335), ref: 003717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003717BA
HeapAlloc.KERNEL32(00000000), ref: 003717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003717DA
GetProcessHeap.KERNEL32(00000000,00000000,00371335), ref: 003717EE
HeapFree.KERNEL32(00000000), ref: 003717F5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b142ea5cadd9dbcac33438bfa5c1ff590436712c29a0102b80ae6154c107be98
Instruction ID: 752637d315e3a0c01a5e8cb63086a71d3b8920405eaa6dccee89bdb6a78deca9
Opcode Fuzzy Hash: b142ea5cadd9dbcac33438bfa5c1ff590436712c29a0102b80ae6154c107be98
Instruction Fuzzy Hash: C3118E72610205FFDB3A9FA8CC49BAE7BADEB46355F118018F44597210D73AA944CB60

Function 003714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00371506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00371515
CloseHandle.KERNEL32(00000004), ref: 00371520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0037154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00371563

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5ed4c9480f32e652d499e6fcb7bee7cc6a2a54c4a3743365289d499a8b1e76c1
Instruction ID: 789414152e6d3f79e99ec4baa81defc6784ce0562dbb384eb2b0db66684a1b49
Opcode Fuzzy Hash: 5ed4c9480f32e652d499e6fcb7bee7cc6a2a54c4a3743365289d499a8b1e76c1
Instruction Fuzzy Hash: AB112976500209AFDF22CF98DD49BDE7BADEF49754F058015FA09A2160C37ACE64DB60

Function 00333382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00333379,00332FE5), ref: 00333390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0033339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003333B7
SetLastError.KERNEL32(00000000,?,00333379,00332FE5), ref: 00333409

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 389740da68659384c949ae5dcbb3ee5685be6c591344ed68247c52de4bcfc9a8
Instruction ID: 47ce30c2bf293c721f3c6b101635ce2ec070579f7ee67110e9f8efa63043937a
Opcode Fuzzy Hash: 389740da68659384c949ae5dcbb3ee5685be6c591344ed68247c52de4bcfc9a8
Instruction Fuzzy Hash: 9E01F73772E312BEEA2727757CC66676B9CEB05379F20C22AF410892F0EF218E019544

Function 00342D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00345686,00353CD6,?,00000000,?,00345B6A,?,?,?,?,?,0033E6D1,?,003D8A48), ref: 00342D78
_free.LIBCMT ref: 00342DAB
_free.LIBCMT ref: 00342DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0033E6D1,?,003D8A48,00000010,00314F4A,?,?,00000000,00353CD6), ref: 00342DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0033E6D1,?,003D8A48,00000010,00314F4A,?,?,00000000,00353CD6), ref: 00342DEC
_abort.LIBCMT ref: 00342DF2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 965b2e46585a4cf37595c6c29df7248cacacde4c9953405a98399eac47b8ce08
Instruction ID: d19e96f6f37617ba6b8873e13c3924e8967385e3d77c8e7c3d459caf3679daa1
Opcode Fuzzy Hash: 965b2e46585a4cf37595c6c29df7248cacacde4c9953405a98399eac47b8ce08
Instruction Fuzzy Hash: E0F02835915A0127C6132339BC0AF5F26DDAFC37A0F660419F834BE1D2EF74B8014120

Function 003A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00329639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296A2
Part of subcall function 00329639: BeginPath.GDI32(?), ref: 003296B9
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 003A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003A8A70
LineTo.GDI32(?,00000000,00000003), ref: 003A8A80
EndPath.GDI32(?), ref: 003A8A90
StrokePath.GDI32(?), ref: 003A8AA0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5421802770ed7af75bc3ca1a27e617f331b8f0ab59359228ec8bbc2715ef0cb3
Instruction ID: 4ae814c02089ffe51fe223107bd4bcbfba053223d29f4d47621e189453a97344
Opcode Fuzzy Hash: 5421802770ed7af75bc3ca1a27e617f331b8f0ab59359228ec8bbc2715ef0cb3
Instruction Fuzzy Hash: 5A11C57600015DFFEB129F94DC88EAA7FADEB09354F048022BA199A1A1C7719D55DBA0

Function 003751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00375218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00375229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00375230
ReleaseDC.USER32(00000000,00000000), ref: 00375238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0037524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00375261

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0d8088b64d736da37de79c5c00d7767738d1fe750b475ee0dfba5e9affbbfacc
Instruction ID: 028e223e7c74bdf7323614dcafcd55d45ac978caa66d6c27c1b98d37eb6e0997
Opcode Fuzzy Hash: 0d8088b64d736da37de79c5c00d7767738d1fe750b475ee0dfba5e9affbbfacc
Instruction Fuzzy Hash: 49014F75A01718BBEB119BA59C49B5EBFB8EB49751F048465FA04AB291D6709C00CBA0

Function 00311BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00311BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00311BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00311C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00311C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00311C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00311C22

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a382cc1d4e4583cf4d2a4eba85750cba009e5c5a72f34d08f6095248960b68d0
Instruction ID: f94ecce3626866135b9bf36e766db532f0c097127c1896eed1194ba14c720be7
Opcode Fuzzy Hash: a382cc1d4e4583cf4d2a4eba85750cba009e5c5a72f34d08f6095248960b68d0
Instruction Fuzzy Hash: F30167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0037EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0037EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0037EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0037EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037EB75

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2b5d0d959466103ad937cc5a3e67780bd0e8f8ad80c75a87983cf27299bbfd35
Instruction ID: e04f6571d41286cddd3284f0b8895d4775ac555bdee261ab53834bbd30cea7af
Opcode Fuzzy Hash: 2b5d0d959466103ad937cc5a3e67780bd0e8f8ad80c75a87983cf27299bbfd35
Instruction Fuzzy Hash: 16F05E72250158BBE7229B629C0EEEF7E7CEFCBB11F005159F601D11A1EBA45A01C6B5

Function 00367439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00367452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00367469
GetWindowDC.USER32(?), ref: 00367475
GetPixel.GDI32(00000000,?,?), ref: 00367484
ReleaseDC.USER32(?,00000000), ref: 00367496
GetSysColor.USER32(00000005), ref: 003674B0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 0d134a223547765feefebec5b2dca32785f2f249cf80cd801ad3710143b91760
Instruction ID: 97d47c52057a2a16e6025ad3c7809ed0e8913f75b337f5a1c6b3ccebf8768361
Opcode Fuzzy Hash: 0d134a223547765feefebec5b2dca32785f2f249cf80cd801ad3710143b91760
Instruction Fuzzy Hash: 5A018631410215EFEB139FA5DD08BEABBBAFB06321F655160F926A21B0CF311E41EB50

Function 00371874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037187F
UnloadUserProfile.USERENV(?,?), ref: 0037188B
CloseHandle.KERNEL32(?), ref: 00371894
CloseHandle.KERNEL32(?), ref: 0037189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003718A5
HeapFree.KERNEL32(00000000), ref: 003718AC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ecf87efe7bd7584d920859b41a7598b8cf4a53cc58f01c53118889c21ead365b
Instruction ID: 382451c9fe54c3e4cfd5324eecf06adf4d18239385e7936c6e90879c3d9e1192
Opcode Fuzzy Hash: ecf87efe7bd7584d920859b41a7598b8cf4a53cc58f01c53118889c21ead365b
Instruction Fuzzy Hash: E8E0C236214101BBDA025BA1ED0C90ABB6DFB4BB22B109220F225810B0CB369421DF50

Function 0031BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0031BEB3

Strings

D%>D%>, xrefs: 0031BCA5
D%>, xrefs: 0031BE9A
D%>, xrefs: 0031BCA2
D%>, xrefs: 0031BDED, 0031BD91, 0031BD1B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%>$D%>$D%>$D%>D%>
API String ID: 1385522511-3314971793
Opcode ID: 8e39cd025203555edb02d22d442dfcaf7644d17aa372e93fd72f3770cd8828f7
Instruction ID: 26949a4f4d4347c99426c8ebc3e58dcfd9456f0faabf98359b27b4f1c697cf60
Opcode Fuzzy Hash: 8e39cd025203555edb02d22d442dfcaf7644d17aa372e93fd72f3770cd8828f7
Instruction Fuzzy Hash: C3912475A0020ACFCB19CF59D0906EAFBB5FF5D310F25816AD946AB390E731A981CBD0

Function 00397B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00330242: EnterCriticalSection.KERNEL32(003E070C,003E1884,?,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033024D
Part of subcall function 00330242: LeaveCriticalSection.KERNEL32(003E070C,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033028A

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

__Init_thread_footer.LIBCMT ref: 00397BFB

Part of subcall function 003301F8: EnterCriticalSection.KERNEL32(003E070C,?,?,00328747,003E2514), ref: 00330202
Part of subcall function 003301F8: LeaveCriticalSection.KERNEL32(003E070C,?,00328747,003E2514), ref: 00330235

Strings

5, xrefs: 00397C78
+T6, xrefs: 00397E2E
Variable must be of type 'Object'., xrefs: 00397C3A
G, xrefs: 00397C7F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T6$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1547236106
Opcode ID: f254eec09ca370208c2b5be7065132442af7bb0579c9c4a69bbcd28db2979acc
Instruction ID: 9816ea1ce9b1547a2438f84cb173540810dac1c8bde6061e25710b5aa71a69e1
Opcode Fuzzy Hash: f254eec09ca370208c2b5be7065132442af7bb0579c9c4a69bbcd28db2979acc
Instruction Fuzzy Hash: 1C918C74A14209EFCF16EF54D891DADB7B5FF49300F148059F8069B292DB71AE81CB51

Function 0037C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037C6EE
_wcslen.LIBCMT ref: 0037C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0037C7CA

Strings

0, xrefs: 0037C6AF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f13995fb4ae85cac947bd169783c93daea06bb6f3918c14407a30ee18ba1485f
Instruction ID: 7014097682c613182bdf5636cf6257ea30e735341f3f5f32a876b3fee9569795
Opcode Fuzzy Hash: f13995fb4ae85cac947bd169783c93daea06bb6f3918c14407a30ee18ba1485f
Instruction Fuzzy Hash: 7E51F3716243809FC72B9F28C885B6B77E8AF49310F04AA2DF599E71D1DB78D804CB52

Function 0039AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0039AEA3

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

GetProcessId.KERNEL32(00000000), ref: 0039AF38
CloseHandle.KERNEL32(00000000), ref: 0039AF67

Strings

@, xrefs: 0039AE72
<, xrefs: 0039AE6B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d8b15e38d6fbb837373cc3e04f1fc3812f98e1805ec0ade8a99520fd96f96b75
Instruction ID: b2aaffabf03a468c5dc8c3efa0c36b1aac724cb5bbf2db9a68a4f9972a81f6d8
Opcode Fuzzy Hash: d8b15e38d6fbb837373cc3e04f1fc3812f98e1805ec0ade8a99520fd96f96b75
Instruction Fuzzy Hash: B2715575A00619DFCF16EF54C494A9EBBF1BF08310F058599E816AB292CB74ED81CB91

Function 0037719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00377206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0037723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0037724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003772CF

Strings

DllGetClassObject, xrefs: 00377242

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f431f34ff75480920b75c460d67ca2c645adcd1e978208763a33228493810aee
Instruction ID: 4fbf2a3afdad673e0acfc9569c4c93501e0f7402d90d10233470b1c75b9cd430
Opcode Fuzzy Hash: f431f34ff75480920b75c460d67ca2c645adcd1e978208763a33228493810aee
Instruction Fuzzy Hash: FD416D71A04204EFDB26CF54C884A9A7BB9EF45310F15C4A9FD19DF20AD7B9D944CBA0

Function 003A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A3E35
IsMenu.USER32(?), ref: 003A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A3E92
DrawMenuBar.USER32 ref: 003A3EA5

Strings

0, xrefs: 003A3D89

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9603a2b61bb574d66b9e8993e3a93560b96cd7e996144ff137de1867bb5a1aa1
Instruction ID: c65d28dfc3e0828c92fe6f52e6dcb8f88bbf0a6381f3092fd029767f07578ef6
Opcode Fuzzy Hash: 9603a2b61bb574d66b9e8993e3a93560b96cd7e996144ff137de1867bb5a1aa1
Instruction Fuzzy Hash: 86413876A11209EFDB12DF50D884EEABBB9FF4A355F05412AF905AB250D730AE44CF90

Function 00371DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00371E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00371E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00371EA9

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Strings

ListBox, xrefs: 00371E25
ComboBox, xrefs: 00371DF0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 8a3bfe7083d3b070d4f369d1d4a0621aa14a041c378ec683ccad8d9b5cf10012
Instruction ID: 8fade57a9119d70eb6585e0dae2023dfe6f1b2571a6c64474121d9c9513a9d53
Opcode Fuzzy Hash: 8a3bfe7083d3b070d4f369d1d4a0621aa14a041c378ec683ccad8d9b5cf10012
Instruction Fuzzy Hash: 07214972A00104BEDB2BABA8DC56DFFB7BCDF46350B14811AF859AB5E0DB3849458660

Function 003A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003A2F8D
LoadLibraryW.KERNEL32(?), ref: 003A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003A2FA9
DestroyWindow.USER32(?), ref: 003A2FB1

Strings

SysAnimate32, xrefs: 003A2F68

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5e7cf5307b9c2c9310cf66c3e6f13a65ac12bb24b05a9890b6bc3ae272c16914
Instruction ID: d0ee9329eb0742eee729a1a5b4438d76032f8d6fe1557d3fb277501ffa065890
Opcode Fuzzy Hash: 5e7cf5307b9c2c9310cf66c3e6f13a65ac12bb24b05a9890b6bc3ae272c16914
Instruction Fuzzy Hash: E721FD72204209AFEF128FA8DC84FBB77BDEB5A364F110218F910D61A0D731DC819760

Function 00334D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00334D1E,003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002), ref: 00334D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00334DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00334D1E,003428E9,?,00334CBE,003428E9,003D88B8,0000000C,00334E15,003428E9,00000002,00000000), ref: 00334DC3

Strings

CorExitProcess, xrefs: 00334D98
mscoree.dll, xrefs: 00334D86

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fbee2ac513caa28404f3a1f7781f7f3041504aa32400056055242d4ee0b8b30c
Instruction ID: f4a7ada99ffae214ff254f82fdfedc581494288d18dfbf81810a05c959481e47
Opcode Fuzzy Hash: fbee2ac513caa28404f3a1f7781f7f3041504aa32400056055242d4ee0b8b30c
Instruction Fuzzy Hash: 3CF04F34A50208BBDB169F94DC89BEEBFF9EF44752F0101A4F906A2261CF74AD40CA90

Function 0036D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0036D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0036D3BF
FreeLibrary.KERNEL32(00000000), ref: 0036D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0036D3B9
X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 031bb0b12a75cfe644797d95ea1f8ffb7a885a143be722111dd6b11bbf795c29
Instruction ID: 2d61bcd8b16efb4f0f3db61b0a456ef1f186b93c6268acbb072bece59d5bc6a8
Opcode Fuzzy Hash: 031bb0b12a75cfe644797d95ea1f8ffb7a885a143be722111dd6b11bbf795c29
Instruction Fuzzy Hash: 67F0557DF05A708FC73317218C28969772CAF02701F66D555F443E665CDB60CC408682

Function 00314E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00314EAE
FreeLibrary.KERNEL32(00000000,?,?,00314EDD,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00314EA8
kernel32.dll, xrefs: 00314E94

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 95512b85e3b6b07a979e37ab02ee23ccdb991990653c1ed37dd4225f2a71a6c5
Instruction ID: 7ff543e299d58cfc0816ee12a94d8e4c5db83d46acb1bfd241ed3caa0ae577f8
Opcode Fuzzy Hash: 95512b85e3b6b07a979e37ab02ee23ccdb991990653c1ed37dd4225f2a71a6c5
Instruction Fuzzy Hash: A1E0C236B126225BD2371B25BC18BEFA69CEF87F62F060115FC05E2200DB60CD4284B1

Function 00314E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00314E74
FreeLibrary.KERNEL32(00000000,?,?,00353CDE,?,003E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00314E87

Strings

kernel32.dll, xrefs: 00314E5B
Wow64RevertWow64FsRedirection, xrefs: 00314E6E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: db31c36b15a52160c17d7f7c255a6b76690f13ef73890c29212bbd2bfbbc5bec
Instruction ID: f317d0486092c98161376f4413cc37eae33aa5b299ab3a5a37a47aa9639bad79
Opcode Fuzzy Hash: db31c36b15a52160c17d7f7c255a6b76690f13ef73890c29212bbd2bfbbc5bec
Instruction Fuzzy Hash: E4D012366126225756271B257C18DCB6A1CEF8BB517061615F905A2114CF61CD4285F0

Function 00382947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382C05
DeleteFileW.KERNEL32(?), ref: 00382C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00382C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00382CC0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8fe87903943dc2c55c458cd8aaf8796a8ef939109a4faacb8ed9c2f7e584adea
Instruction ID: e92697616ff179945c53346cf50eead851fedb637cede971d5c3588be4373122
Opcode Fuzzy Hash: 8fe87903943dc2c55c458cd8aaf8796a8ef939109a4faacb8ed9c2f7e584adea
Instruction Fuzzy Hash: A7B15E72D01219ABDF16EBA4CC85EEFB7BDEF49310F1040A6F509EA151EB319A448F61

Function 0039A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0039A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0039A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0039A468
CloseHandle.KERNEL32(?), ref: 0039A63D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: aed4caa9882d930baa4a83cb0070baa46eed3ca0a8e28f154421f80a59227b6e
Instruction ID: 8d22512483b1f1f5c87fa21f014d6575e121135b80e74c73f24f17c63ab29140
Opcode Fuzzy Hash: aed4caa9882d930baa4a83cb0070baa46eed3ca0a8e28f154421f80a59227b6e
Instruction Fuzzy Hash: A6A1B0716047009FDB25DF24D886F2AB7E5AF88714F15891CF99A9B2D2DB70EC41CB82

Function 0034BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003B3700), ref: 0034BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,003E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0034BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,003E1270,000000FF,?,0000003F,00000000,?), ref: 0034BC36
_free.LIBCMT ref: 0034BB7F

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034BD4B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9bd83e4bd93c52717d94338357b101d1c52b524927d04c04a33f741b7a5ed21a
Instruction ID: 3e4ae887b3a2b9688f341415718704e95179bd5095ccd7c573a3161dcdf83349
Opcode Fuzzy Hash: 9bd83e4bd93c52717d94338357b101d1c52b524927d04c04a33f741b7a5ed21a
Instruction Fuzzy Hash: 5B51B271900219ABCB27EF659CC19AEF7FCEB41310F11066AE554EF1A1EB30EE418B90

Function 0037E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0037CF22,?), ref: 0037DDFD

Part of subcall function 0037DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0037CF22,?), ref: 0037DE16

Part of subcall function 0037E199: GetFileAttributesW.KERNEL32(?,0037CF95), ref: 0037E19A

lstrcmpiW.KERNEL32(?,?), ref: 0037E473
MoveFileW.KERNEL32(?,?), ref: 0037E4AC
_wcslen.LIBCMT ref: 0037E5EB
_wcslen.LIBCMT ref: 0037E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0037E650

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: bcd5db1f4e81dafee12aad6100a8e3556018b2d95ac0986643fd975d6bc999da
Instruction ID: d7bd76ae43c35978c3178f73837bc70ae39ed63cc895c293e1c30e0da243bdb0
Opcode Fuzzy Hash: bcd5db1f4e81dafee12aad6100a8e3556018b2d95ac0986643fd975d6bc999da
Instruction Fuzzy Hash: B65185B24083459BC736DB90DC91ADF73ECAF89340F00495EF689D7151EF78A5888B66

Function 0039B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 0039C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039B6AE,?,?), ref: 0039C9B5
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039C9F1
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA68
Part of subcall function 0039C998: _wcslen.LIBCMT ref: 0039CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0039BB63
RegCloseKey.ADVAPI32(?,?), ref: 0039BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0039BBB3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ea843f44d6743854318fe6c83f800c99db3c29ef1858de6beb7ceae477cf66ea
Instruction ID: b670391c56359a9f06eff0a2fadbc255b30c8791c79852d987c3e788085eaea3
Opcode Fuzzy Hash: ea843f44d6743854318fe6c83f800c99db3c29ef1858de6beb7ceae477cf66ea
Instruction Fuzzy Hash: 1461A031208241AFD71ADF14C590E6AFBE9FF84308F15859DF4998B2A2DB31ED45CB92

Function 00378BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00378BCD
VariantClear.OLEAUT32 ref: 00378C3E
VariantClear.OLEAUT32 ref: 00378C9D
VariantClear.OLEAUT32(?), ref: 00378D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00378D3B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2c72f19076164cd395abf33237172877dfc98dc623f91534d889d7856b808a09
Instruction ID: a11845ac98891a9bbcba4a63fe4c43cc897c113f31924ca04c78481cfcc2a683
Opcode Fuzzy Hash: 2c72f19076164cd395abf33237172877dfc98dc623f91534d889d7856b808a09
Instruction Fuzzy Hash: F65169B5A00219EFCB25CF68C894AAAB7F8FF8D314F158559E909DB350E734E911CB90

Function 00388AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00388BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00388BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00388C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00388C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00388C5F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f0fa974fdab580e4bdba7bd4c8416b2328155e6f8e85b4b9f8a8ae74436ae627
Instruction ID: 6367c4866a03106b159da853d27a77a1eb08ddc099865455b0098b118598b61e
Opcode Fuzzy Hash: f0fa974fdab580e4bdba7bd4c8416b2328155e6f8e85b4b9f8a8ae74436ae627
Instruction Fuzzy Hash: F8513C35A002159FCB16EF64C881AADBBF5FF49314F098498E849AF362DB35ED51CB90

Function 00398EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00398F40
GetProcAddress.KERNEL32(00000000,?), ref: 00398FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00398FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00399032
FreeLibrary.KERNEL32(00000000), ref: 00399052

Part of subcall function 0032F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00381043,?,7529E610), ref: 0032F6E6
Part of subcall function 0032F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0036FA64,00000000,00000000,?,?,00381043,?,7529E610,?,0036FA64), ref: 0032F70D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ed652674ed386bca77447133e01c0faf037c07d47aa6e431087e73dac1810c0f
Instruction ID: da528a1de6d0dc55825a77616d04315947985ee0310fab3e6c4d54507a7e6eb7
Opcode Fuzzy Hash: ed652674ed386bca77447133e01c0faf037c07d47aa6e431087e73dac1810c0f
Instruction Fuzzy Hash: 9B513935604205DFCB16DF58C4949ADBBF1FF4A314B0980A9E81A9F762DB31ED86CB90

Function 003A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 003A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 003A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0038AB79,00000000,00000000), ref: 003A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003A6CC7

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 5db333845e7fe5464fca242eb061961bd4c1a60126213d5023976f2f8f8f4416
Instruction ID: c503a68f67a64bbaf55df0ce00d79db85fe9ad063b12625e19bf4323659857a6
Opcode Fuzzy Hash: 5db333845e7fe5464fca242eb061961bd4c1a60126213d5023976f2f8f8f4416
Instruction Fuzzy Hash: 2541EA35604104AFD726DF38CC56FA97BA9EB0B360F1A0228F855A72E1C771ED41C650

Function 00342051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003420C3
_free.LIBCMT ref: 003420E3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 69c4b249dc5d1709a41593422a044b050af699eee0ac39a24f3547999b3f137e
Instruction ID: 94b995ba599be5ee327f641fd6092034e3060238542de04ec95af1fe678f3a3d
Opcode Fuzzy Hash: 69c4b249dc5d1709a41593422a044b050af699eee0ac39a24f3547999b3f137e
Instruction Fuzzy Hash: 0A41AD32A002009FDB26DF68C881A5EB7E5EF89714F5645A9F615EF296DA31BD01CB80

Function 0032912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00329141
ScreenToClient.USER32(00000000,?), ref: 0032915E
GetAsyncKeyState.USER32(00000001), ref: 00329183
GetAsyncKeyState.USER32(00000002), ref: 0032919D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 00c5dadc2806eee8f7314bd5f49455525dd2ae9d9045db95fa8316416b9f5704
Instruction ID: 42e7e3f441ef98509741929f927b259eeb647514b3f9581041b1afd39c6d8450
Opcode Fuzzy Hash: 00c5dadc2806eee8f7314bd5f49455525dd2ae9d9045db95fa8316416b9f5704
Instruction Fuzzy Hash: 0341617190861AFBDF169F69D848BEEB774FF06324F208216E425A72D4C7346950CF91

Function 00383874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00383922
TranslateMessage.USER32(?), ref: 0038394B
DispatchMessageW.USER32(?), ref: 00383955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00383966

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: a3431724edc9250a4b3d779543ddc35396b92f4ce7194d4259d4f6de56d1aa81
Instruction ID: 073d22d4087f451eb6c282895ead08ecd71159f5a2d62d91124d52e634c8598a
Opcode Fuzzy Hash: a3431724edc9250a4b3d779543ddc35396b92f4ce7194d4259d4f6de56d1aa81
Instruction Fuzzy Hash: 6131E7719043859EEB37EB35D848BB637ACEB06700F0506EDE466872E0E7F49A85CB11

Function 0038CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0038CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0038C21E,00000000), ref: 0038CFF2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 699e53442ce4ee88441d8416e595d7a557615faca675ec5683843ec1cd942c64
Instruction ID: d18602e79a351f7474f8919ec46c92e8d4c72590b256c5450c056efe4e426235
Opcode Fuzzy Hash: 699e53442ce4ee88441d8416e595d7a557615faca675ec5683843ec1cd942c64
Instruction Fuzzy Hash: 93318E71524305EFEB22EFA5D884AABBBFDEB04310F1054AEF606D6141DB30AE40DB60

Function 00371901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00371915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003719E2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 569cee0300770646de4031bedbf009ee4ae2a9a0f5a340226b1be786f20e86f2
Instruction ID: c281247dba546e31943b562ba6e6f9b3397a0abfcda0cc01aa0e7af360eb8961
Opcode Fuzzy Hash: 569cee0300770646de4031bedbf009ee4ae2a9a0f5a340226b1be786f20e86f2
Instruction Fuzzy Hash: 8531F672A00219EFCB11CFACCD98ADE7BB5EB06314F008225FA25A72D0C3749D45CB90

Function 003A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 003A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 003A579D
_wcslen.LIBCMT ref: 003A57AF
_wcslen.LIBCMT ref: 003A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 003A5816

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6172f6e2bce5f13056dac6ce38c5bfc064ac5da1862c2edcf2fbe541ca6c7133
Instruction ID: ae2f5021788fecca69a59ee2f3bf0c1f8fa444c693f40725eb75586349f6c48d
Opcode Fuzzy Hash: 6172f6e2bce5f13056dac6ce38c5bfc064ac5da1862c2edcf2fbe541ca6c7133
Instruction Fuzzy Hash: B4218271904618DADB229FA1CC85AEEB7BCFF06724F108216F929EA1C0D7719985CF50

Function 00390930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00390951
GetForegroundWindow.USER32 ref: 00390968
GetDC.USER32(00000000), ref: 003909A4
GetPixel.GDI32(00000000,?,00000003), ref: 003909B0
ReleaseDC.USER32(00000000,00000003), ref: 003909E8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 48308a26688dea3bd12a7052cdd0131db5f26a411b46a3cc7c00815a2e1f72f7
Instruction ID: 7215b9532e2f8e575736b5ec04b9a8940ab8182a9ca91739b6f77a3a6248354b
Opcode Fuzzy Hash: 48308a26688dea3bd12a7052cdd0131db5f26a411b46a3cc7c00815a2e1f72f7
Instruction Fuzzy Hash: B7219335600204AFDB05EF65C984AAEBBF9EF49700F048468F84AEB762DB30AC44CB50

Function 0034CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0034CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0034CDE9

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0034CE0F
_free.LIBCMT ref: 0034CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0034CE31

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dcc0ad4b5f5509e8d4056caae4b8b242fa860d4b97c3cf2215aa4a571f8420f7
Instruction ID: fa92117d372f62cf7f67669c041b5e95ea4da123affbe14931c7b5000486b185
Opcode Fuzzy Hash: dcc0ad4b5f5509e8d4056caae4b8b242fa860d4b97c3cf2215aa4a571f8420f7
Instruction Fuzzy Hash: 1D01D8726132157F676316B66C48C7B69EDDEC7BA23151129F905CF100DF619D0191B0

Function 00329639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
SelectObject.GDI32(?,00000000), ref: 003296A2
BeginPath.GDI32(?), ref: 003296B9
SelectObject.GDI32(?,00000000), ref: 003296E2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4ef680ab67512aa88c6eedc3505784bf002f65b1a751c65dc9649ca449931588
Instruction ID: c69c109554d5ca4bc8ed45e1f80686326318098b77fbebad973b2a4269b2ce4d
Opcode Fuzzy Hash: 4ef680ab67512aa88c6eedc3505784bf002f65b1a751c65dc9649ca449931588
Instruction Fuzzy Hash: C7217C31812359EFDB239F24EC98BA93BACBB01325F114316F410AA1E2D3749891CFD0

Function 00375711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00375726
_memcmp.LIBVCRUNTIME ref: 00375744
_memcmp.LIBVCRUNTIME ref: 00375757
_memcmp.LIBVCRUNTIME ref: 0037576F
_memcmp.LIBVCRUNTIME ref: 00375787

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: de4f8549b0532f513c03cf5dc2327a3022b217f1e60dd121543e050600bc9ef5
Instruction ID: d8b53cf822ea6bb3e2f054f2aec621bc952fbe455b9131284af82ca2d64a01d2
Opcode Fuzzy Hash: de4f8549b0532f513c03cf5dc2327a3022b217f1e60dd121543e050600bc9ef5
Instruction Fuzzy Hash: E30192A5641A49BEE22E55119DC2FFA635CDB363A4F008020FD089E641F7A5ED1082A0

Function 00342DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0033F2DE,00343863,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6), ref: 00342DFD
_free.LIBCMT ref: 00342E32
_free.LIBCMT ref: 00342E59
SetLastError.KERNEL32(00000000,00311129), ref: 00342E66
SetLastError.KERNEL32(00000000,00311129), ref: 00342E6F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4e91447bb4bfa00285bcb77cfa53b0645d4984ea54cbe6a94d825264e6b45009
Instruction ID: 344926ae3d85f0245be9dfd4c1496c15a687798cce030645f7c70507c9398cd9
Opcode Fuzzy Hash: 4e91447bb4bfa00285bcb77cfa53b0645d4984ea54cbe6a94d825264e6b45009
Instruction Fuzzy Hash: 6401F436255A0177CA1367356C85D2B26EDABD23A1BE60429F421FE2E2EF74EC818120

Function 0037000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?,?,0037035E), ref: 0037002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?), ref: 00370064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0036FF41,80070057,?,?), ref: 00370070

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3fe1afe8e63e8575f4654efb57d1859d5fea6de491d33eb87405614ec6bc9480
Instruction ID: cc52d9045a7d2f8db66d3e2f4b9a7b7c0bca12182f01e113af9afacc2e38855c
Opcode Fuzzy Hash: 3fe1afe8e63e8575f4654efb57d1859d5fea6de491d33eb87405614ec6bc9480
Instruction Fuzzy Hash: 7001AD76610204FFDB264F68DC04BAE7AEDEF447A2F149128F909D2210EB79DD409BA0

Function 003710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00371114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 0037112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00370B9B,?,?,?), ref: 00371136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0037114D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b8b61a2d00a3c2903edc0f61805dec3c6ba87b2358eddbe4d672442e745b0b7d
Instruction ID: 4fea2da1b2e5ee7805c032ae5af1b79bc1351d48f465fcbe1d0b2efabfa97050
Opcode Fuzzy Hash: b8b61a2d00a3c2903edc0f61805dec3c6ba87b2358eddbe4d672442e745b0b7d
Instruction Fuzzy Hash: A501197A210205BFDB124FA9DC49A6A3B6EEF8A3A0F614419FA45D7360DA35DD009A60

Function 00370FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00370FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00370FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00370FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00370FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00371002

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 55405dad586e4a55f89dd03163e5d55393e038cc29d35a88921e579c6f436479
Instruction ID: d6586cf50a1766d7735fcab3af0f6d943582baab38c13940e348c05f2f4028bc
Opcode Fuzzy Hash: 55405dad586e4a55f89dd03163e5d55393e038cc29d35a88921e579c6f436479
Instruction Fuzzy Hash: B7F06D3A210305FBDB224FA8DC4DF563BADEF8A762F114414FA49C7291DE74DC508A60

Function 00371014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00371036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371062

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 420f5da810eec55532fa2c2c629a6bcbed3de27661534cf477c1bb69eaaf05b0
Instruction ID: ca4f4f468b7497f8547a809d15190714618daa2a9114aaded53ce12eb4f2d4d9
Opcode Fuzzy Hash: 420f5da810eec55532fa2c2c629a6bcbed3de27661534cf477c1bb69eaaf05b0
Instruction Fuzzy Hash: 80F06D3A220301FBDB235FA8EC49F563BADEF8A761F114414FA49C7290DE74D8508A60

Function 0038030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380324
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380331
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 0038033E
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 0038034B
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380358
CloseHandle.KERNEL32(?,?,?,?,0038017D,?,003832FC,?,00000001,00352592,?), ref: 00380365

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20d0dbd0e27555fd8a657ba5cadb9c038a4bf94147720e9951afe829a2210ff5
Instruction ID: d3ebd845975b41114ae673e7f97886529fe311448051857b6def2cc6b7babb9c
Opcode Fuzzy Hash: 20d0dbd0e27555fd8a657ba5cadb9c038a4bf94147720e9951afe829a2210ff5
Instruction Fuzzy Hash: 2401EE7A800B01DFCB32AF66D880802FBF9BF603053068A3FD19252930C3B0A948CF80

Function 0034D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0034D752

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 0034D764
_free.LIBCMT ref: 0034D776
_free.LIBCMT ref: 0034D788
_free.LIBCMT ref: 0034D79A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6e84ca78e4f4150f1309d7e760b1f7aec0d368b1fe58ba5d90679a27d8bd316f
Instruction ID: bfc399fa151fc00e77d954de4c8ca2113cc107b2283395900fadc8dc12f74d00
Opcode Fuzzy Hash: 6e84ca78e4f4150f1309d7e760b1f7aec0d368b1fe58ba5d90679a27d8bd316f
Instruction Fuzzy Hash: 5EF0F932565205AB9663EF69F9C6C1B7BDDBB45710BE61806F048EF512CB30FC908A64

Function 00375C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00375C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00375C6F
MessageBeep.USER32(00000000), ref: 00375C87
KillTimer.USER32(?,0000040A), ref: 00375CA3
EndDialog.USER32(?,00000001), ref: 00375CBD

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a83f8a9f0f0e71fae5bd20c73249c5046730a83f660a2cae2be909e40d7a3054
Instruction ID: c9ebd927354fb8538181687e1eca54f3fcab966aa0d0bac5a6dd4450a95fafb6
Opcode Fuzzy Hash: a83f8a9f0f0e71fae5bd20c73249c5046730a83f660a2cae2be909e40d7a3054
Instruction Fuzzy Hash: 5901D130500B04ABEB3B9B10DD4EFA677FCBB01B01F085159A187A14F0DBF8A9848A90

Function 003422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003422BE

Part of subcall function 003429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000), ref: 003429DE
Part of subcall function 003429C8: GetLastError.KERNEL32(00000000,?,0034D7D1,00000000,00000000,00000000,00000000,?,0034D7F8,00000000,00000007,00000000,?,0034DBF5,00000000,00000000), ref: 003429F0

_free.LIBCMT ref: 003422D0
_free.LIBCMT ref: 003422E3
_free.LIBCMT ref: 003422F4
_free.LIBCMT ref: 00342305

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8fdbb322f06dfde38f21bb553127ccc978adf2d33b3e340159c52a5367d3525a
Instruction ID: 4b4e15e568040e832d305fc2c66ba0443fc7fe953fa817ce60b6971befc8522d
Opcode Fuzzy Hash: 8fdbb322f06dfde38f21bb553127ccc978adf2d33b3e340159c52a5367d3525a
Instruction Fuzzy Hash: 9FF030754211919B9A37AF55BC8180E3BACF719760F851B07F410FE2F1C7712862EBA5

Function 003295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003295D4
StrokeAndFillPath.GDI32(?,?,003671F7,00000000,?,?,?), ref: 003295F0
SelectObject.GDI32(?,00000000), ref: 00329603
DeleteObject.GDI32 ref: 00329616
StrokePath.GDI32(?), ref: 00329631

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7255c6bc76c077b3bd5a91fe74633b36ce586e76979517fb08138347769dd7e8
Instruction ID: 7074139d1cbdf71fa6de2ccd4f5978a2817c40ea32c41f2b77e8a9fe8a87516b
Opcode Fuzzy Hash: 7255c6bc76c077b3bd5a91fe74633b36ce586e76979517fb08138347769dd7e8
Instruction Fuzzy Hash: B0F03C31025248EBDB279F65ED5C7643BA9AB02332F148315F425590F2CB348991DFA0

Function 00340F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003410F9
__freea.LIBCMT ref: 00341117

Part of subcall function 00341537: _free.LIBCMT ref: 0034154F

Strings

a/p, xrefs: 003411DE
am/pm, xrefs: 0034117A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6ba5ae864a4279f82cc43aea1137d5d40fd17f66f03f84df2afaa9da4818b051
Instruction ID: bf7c583f7b891471ac42ef4eee9a754e3054924169e711d811009e0b3c6bea4d
Opcode Fuzzy Hash: 6ba5ae864a4279f82cc43aea1137d5d40fd17f66f03f84df2afaa9da4818b051
Instruction Fuzzy Hash: F2D1F239A10A06CACB2B9F68C895BFAB7F4EF05700F294159E9119FA50D375BDC0CB91

Function 003961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00330242: EnterCriticalSection.KERNEL32(003E070C,003E1884,?,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033024D
Part of subcall function 00330242: LeaveCriticalSection.KERNEL32(003E070C,?,0032198B,003E2518,?,?,?,003112F9,00000000), ref: 0033028A

Part of subcall function 003300A3: __onexit.LIBCMT ref: 003300A9

__Init_thread_footer.LIBCMT ref: 00396238

Part of subcall function 003301F8: EnterCriticalSection.KERNEL32(003E070C,?,?,00328747,003E2514), ref: 00330202
Part of subcall function 003301F8: LeaveCriticalSection.KERNEL32(003E070C,?,00328747,003E2514), ref: 00330235

Part of subcall function 0038359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003835E4
Part of subcall function 0038359C: LoadStringW.USER32(003E2390,?,00000FFF,?), ref: 0038360A

Strings

x#>, xrefs: 00396353
x#>, xrefs: 0039636F
x#>, xrefs: 0039633A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#>$x#>$x#>
API String ID: 1072379062-1511475485
Opcode ID: e47fec2297713c6d0d5311955a54fde8a2eae4749ae3fbe2d48dfd7897533036
Instruction ID: ba98356126d880781d6ff5495e550f8a767f885ff49e5ab1c3c8c32d6ee15d8c
Opcode Fuzzy Hash: e47fec2297713c6d0d5311955a54fde8a2eae4749ae3fbe2d48dfd7897533036
Instruction Fuzzy Hash: A3C18C71A00209AFCF16DF98C892EBEB7B9EF49300F158469F9459B291DB70ED45CB90

Function 00345AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO1, xrefs: 00345BA8, 00345C6C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: JO1
API String ID: 0-2759033588
Opcode ID: 2146230a9eaf7b62b23404a319ccf445576f14dbd0b860c3a8a5c2183cebd64b
Instruction ID: dcf9730d97d1e190e43b0b6ae0685283ebce23e197b33ecde0f3f75ed0b17d1c
Opcode Fuzzy Hash: 2146230a9eaf7b62b23404a319ccf445576f14dbd0b860c3a8a5c2183cebd64b
Instruction Fuzzy Hash: 7D519C75E00609AFCB239FA5C885BAEBBF8EF05310F15015AF405AF292D671AE018B61

Function 00348A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00348B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00348B7A
__dosmaperr.LIBCMT ref: 00348B81

Strings

.3, xrefs: 00348A63

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .3
API String ID: 2434981716-376848344
Opcode ID: e760fc993f21a21839842dd6d2438574abd9d0c6c5e3b8a5c8416df39f49bccb
Instruction ID: 03e80d93b460e6c9e8a2610f61f7c9f0780bd356df70e00c6cd0b117ee06c02c
Opcode Fuzzy Hash: e760fc993f21a21839842dd6d2438574abd9d0c6c5e3b8a5c8416df39f49bccb
Instruction Fuzzy Hash: F9416E70604045AFDB279F28C880A7D7FE9DF46304F2945A9F8858F642DE71AC539790

Function 00372716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003721D0,?,?,00000034,00000800,?,00000034), ref: 0037B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00372760

Part of subcall function 0037B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0037B3F8

Part of subcall function 0037B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0037B355
Part of subcall function 0037B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00372194,00000034,?,?,00001004,00000000,00000000), ref: 0037B365
Part of subcall function 0037B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00372194,00000034,?,?,00001004,00000000,00000000), ref: 0037B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037281A

Strings

@, xrefs: 00372832

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2d71bc24485abf964125a76726fb67f5952b679a4713a94bcb7d604de0115ca4
Instruction ID: a64f52a97510e3f573bc7c1485fd7b6e687aa3c059043412830b9bd22b103a87
Opcode Fuzzy Hash: 2d71bc24485abf964125a76726fb67f5952b679a4713a94bcb7d604de0115ca4
Instruction Fuzzy Hash: 3B413D76900218BFDB21DBA4CD41BDEBBB8AF09300F008095FA59B7191DB756E85CBA1

Function 0034172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00341769
_free.LIBCMT ref: 00341834
_free.LIBCMT ref: 0034183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00341760, 00341767, 00341796, 003417CE

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8c4ae567398cb6a8943b5807a9bfce856f65d26737637d15a9245b9e72f3abec
Instruction ID: b04559281cf0f45cd4b51aaa8e2b22da9bc6b18b74fdb5866a777d09c999abb4
Opcode Fuzzy Hash: 8c4ae567398cb6a8943b5807a9bfce856f65d26737637d15a9245b9e72f3abec
Instruction Fuzzy Hash: 88318D75A00658AFDB23DB99DC81D9EBBFCEB89310F554166F904EF211D670AA80CB90

Function 0037C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0037C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0037C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003E1990,00CB5788), ref: 0037C395

Strings

0, xrefs: 0037C2DF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6cc4b52ba1aa5cdcba2c96663dcaf9095b3827bd5657cda36d12e75a3efb2138
Instruction ID: 3e8ec780f4cdd6687350e544ed9f89619d892cf9f6679909e82b2cc7abb61fc7
Opcode Fuzzy Hash: 6cc4b52ba1aa5cdcba2c96663dcaf9095b3827bd5657cda36d12e75a3efb2138
Instruction Fuzzy Hash: FE41B4352143019FE736DF25D884B5ABBE8AF85320F00DA1DF9699B2D1D738E904CB62

Function 003A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003ACC08,00000000,?,?,?,?), ref: 003A44AA
GetWindowLongW.USER32 ref: 003A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A44D7

Strings

SysTreeView32, xrefs: 003A447C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 428277a1e99b345b8bc5217ba3477dc07550766e22b51f138ff44a42034c7c53
Instruction ID: f6d90a1cfb0eef6989ecf1844b07781e9c39b43677ce0f81429c100d5bf4cfc2
Opcode Fuzzy Hash: 428277a1e99b345b8bc5217ba3477dc07550766e22b51f138ff44a42034c7c53
Instruction Fuzzy Hash: F031C031210605AFDF268F78DC45BEA77A9EB4A334F214725F975921E0D7B0EC509B50

Function 00376E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00376EED
VariantCopyInd.OLEAUT32(?,?), ref: 00376F08
VariantClear.OLEAUT32(?), ref: 00376F12

Strings

*j7, xrefs: 00376E8B, 00376E90, 00376EF8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j7
API String ID: 2173805711-3979623430
Opcode ID: f6e505f950d568daf070ccb473d42ce404f5f82eb2152a053db23482021417fd
Instruction ID: cd8f08161c2c36bffa9b32ac795dbd33ee54bf2fb6b167e706113360007ce940
Opcode Fuzzy Hash: f6e505f950d568daf070ccb473d42ce404f5f82eb2152a053db23482021417fd
Instruction Fuzzy Hash: F231A471604646DFCB1BAF64E8629BD77BAFF49300B104498F9064F2A1C7389D62EBD4

Function 0039304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0039335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00393077,?,?), ref: 00393378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0039307A
_wcslen.LIBCMT ref: 0039309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00393106

Strings

255.255.255.255, xrefs: 00393095, 0039309A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 04c3ac39012d3c61cb6b75d6e26ed9d18cf7fc2e7b5d60cd3d8ea8c2bb588b2a
Instruction ID: f2babebdc00ab41c8b0a806ab58d6c5d43579380beaff30e19a0f24254ec5885
Opcode Fuzzy Hash: 04c3ac39012d3c61cb6b75d6e26ed9d18cf7fc2e7b5d60cd3d8ea8c2bb588b2a
Instruction Fuzzy Hash: 3831E7B92042019FCF22DF68C485EAA77F4EF15318F258059E9168F7A2D731EE45C761

Function 003A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 003A3F78

Strings

SysMonthCal32, xrefs: 003A3F0B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f568b29780dae4697b6ed932d5f2724b3994f15e47cd20b3e79638245343e589
Instruction ID: 2319ec4e3f9e325fb860b89e97ef4fd3acc9e3ee853aa8b3b0998163bbe87487
Opcode Fuzzy Hash: f568b29780dae4697b6ed932d5f2724b3994f15e47cd20b3e79638245343e589
Instruction Fuzzy Hash: 6921BC32610219BFDF268F90CC46FEA3B79EF49714F120214FA156B1D0D6B1AC908B90

Function 003A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003A471A

Strings

msctls_updown32, xrefs: 003A4684

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8283ade1e650cd4fc3adab9e5f44c117d17c0fa0e8321e7cf645072fd202bdef
Instruction ID: 548332c49ae45795bf35e0d6d4a901eb6d011fe7c8fe49bc5f98dc2c00b07812
Opcode Fuzzy Hash: 8283ade1e650cd4fc3adab9e5f44c117d17c0fa0e8321e7cf645072fd202bdef
Instruction Fuzzy Hash: 152192B5600244AFDB12DF68DCC1DB777ADEB8B394B050059F9109B2A1DB71EC11CB60

Function 003795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037961D

Strings

#notrayicon, xrefs: 003795B7
#OnAutoItStartRegister, xrefs: 003795F3
#requireadmin, xrefs: 003795D9

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 46bbcdb65f93a23050a839a8e0948bb9b48339be9ce54bded7cf160c352d1d93
Instruction ID: 71d18f61b7634881238a080b778d96e9cb164399a20a4df211234948ff632cad
Opcode Fuzzy Hash: 46bbcdb65f93a23050a839a8e0948bb9b48339be9ce54bded7cf160c352d1d93
Instruction Fuzzy Hash: 3B215B7210462166C333BB259C42FF773ECDF56320F158227F94D9B181EB59AD85C295

Function 003A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A3876

Strings

Listbox, xrefs: 003A380F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 923fb22e0f835f909d3e18d473d962904d0bc195a4ff86aa8bbfddd86cc8473b
Instruction ID: 78d4a30380fd652ec567ff667498fee4f0513fb4a1837a3fd834134c9992ff82
Opcode Fuzzy Hash: 923fb22e0f835f909d3e18d473d962904d0bc195a4ff86aa8bbfddd86cc8473b
Instruction Fuzzy Hash: 6621A472610118BBEF238F54DC85FBB376EEF8A750F118125F9149B190CA76DC5187A0

Function 003849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00384A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00384A5C
SetErrorMode.KERNEL32(00000000,?,?,003ACC08), ref: 00384AD0

Strings

%lu, xrefs: 00384A6F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f3f174c62b42f7b82669fb3ee441e652b4eaa51d87d403723bacb21128f1e161
Instruction ID: fe43045abb3fae3059ce2adc1bac32f37fd19db90d6506f62d3b68d9d9b21125
Opcode Fuzzy Hash: f3f174c62b42f7b82669fb3ee441e652b4eaa51d87d403723bacb21128f1e161
Instruction Fuzzy Hash: 71318071A00209AFDB15DF54C885EAA7BF8EF09304F1480A5E809DF252D775EE45CB61

Function 003A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003A4271

Strings

msctls_trackbar32, xrefs: 003A4226

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 778e1dbeb11241574365073e38e23ef0e6aba8615127cfa68435d1ffdfc949ef
Instruction ID: 58a3ab9ea475a9d5c680697f04a992bd02be4dad36ef21fabe251920a534f737
Opcode Fuzzy Hash: 778e1dbeb11241574365073e38e23ef0e6aba8615127cfa68435d1ffdfc949ef
Instruction Fuzzy Hash: DF110631240248BEEF225F68CC46FAB7BACEFD6B54F020524FA55E60A0D6B1DC519B50

Function 00372F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

Part of subcall function 00372DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00372DC5
Part of subcall function 00372DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00372DD6
Part of subcall function 00372DA7: GetCurrentThreadId.KERNEL32 ref: 00372DDD
Part of subcall function 00372DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00372DE4

GetFocus.USER32 ref: 00372F78

Part of subcall function 00372DEE: GetParent.USER32(00000000), ref: 00372DF9

GetClassNameW.USER32(?,?,00000100), ref: 00372FC3
EnumChildWindows.USER32(?,0037303B), ref: 00372FEB

Strings

%s%d, xrefs: 00372FFF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d66692c05c6df61d6068e8e55d69e3ac4f83dd7104b4dd31ab0ca162a5450aa8
Instruction ID: f8f9dc88392a190facf18a963f74a81af87076331ac9f8f738cf7f5099a24126
Opcode Fuzzy Hash: d66692c05c6df61d6068e8e55d69e3ac4f83dd7104b4dd31ab0ca162a5450aa8
Instruction Fuzzy Hash: CB11E4716002056BCF26BF748CD6EEE37AAAF89304F04C075F90D9F252DE349A459B60

Function 003A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003A58EE
DrawMenuBar.USER32(?), ref: 003A58FD

Strings

0, xrefs: 003A588F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: afbb1ffb144b2fa9edccf90e2d0b683aa30713b1ad3ab4b80058127fed2d528a
Instruction ID: eabcb326c4d9d8419776810f65c70210cf989749fba0efa57e0390b4edcbcafc
Opcode Fuzzy Hash: afbb1ffb144b2fa9edccf90e2d0b683aa30713b1ad3ab4b80058127fed2d528a
Instruction Fuzzy Hash: 15011E31510218EFDB129F11EC44BAFBBB8FF46761F1480A9F849DA151DB308A94DF21

Function 0037007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6c83e98d22f137b362692ffd6e6c5f455d7d66162673dc6b52f08510d8caf9
Instruction ID: 9fc689b24bef7e1bbc482a9046526bdf1ee9774cbe3316239a25760b97025185
Opcode Fuzzy Hash: dd6c83e98d22f137b362692ffd6e6c5f455d7d66162673dc6b52f08510d8caf9
Instruction Fuzzy Hash: E3C15B75A0020AEFDB29CFA4C894EAEB7B5FF48704F218598E509EB251D735ED41CB90

Function 0039342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00393459
CoUninitialize.OLE32 ref: 00393463
VariantInit.OLEAUT32(?), ref: 0039346E
VariantClear.OLEAUT32(?), ref: 0039371B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8620eeb05331217a392f3c57fef2f7a4fe3f24c560e19478ac236244c6b55c8b
Instruction ID: 737bad0933f65d3d9abe8e70385458f029f14896ef73c2b83b4173f5cba9532a
Opcode Fuzzy Hash: 8620eeb05331217a392f3c57fef2f7a4fe3f24c560e19478ac236244c6b55c8b
Instruction Fuzzy Hash: BFA13A752042109FCB16DF28C485A6AB7E9FF8D714F058859F98A9F362DB30ED41CB91

Function 00370436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003AFC08,?), ref: 003705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003AFC08,?), ref: 00370608
CLSIDFromProgID.OLE32(?,?,00000000,003ACC40,000000FF,?,00000000,00000800,00000000,?,003AFC08,?), ref: 0037062D
_memcmp.LIBVCRUNTIME ref: 0037064E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6b8bcc8a6e9cb15df66ea7b6c7a89ff489eb95082963533feb9af2034449f825
Instruction ID: a712cf8d34cef2dcfc3926570dff0b652435e7582552aac00d16c8d3133b920e
Opcode Fuzzy Hash: 6b8bcc8a6e9cb15df66ea7b6c7a89ff489eb95082963533feb9af2034449f825
Instruction Fuzzy Hash: 9B812971A00109EFCB15DF94C984EEEB7B9FF89315F208598E506AB250DB75AE06CF60

Function 00351391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003514C0

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7578f0748e40a0c4974b8586792f1f31be0cb375d3fce4b143e88ae8712efdc4
Instruction ID: cf4d556ba64e6a00883bb0f87dfdb753e8967cd37f8633ad58365c5513f53a06
Opcode Fuzzy Hash: 7578f0748e40a0c4974b8586792f1f31be0cb375d3fce4b143e88ae8712efdc4
Instruction Fuzzy Hash: 28411975A00100ABDB23ABBB9C85FAF3AF8EF42371F154625FC19DE2B2E67448455361

Function 003A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003A62E2
ScreenToClient.USER32(?,?), ref: 003A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003A6382

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8a5cba754a401ef5f6879b1d125a5200ab83a1d2dca0884366265e62676bc252
Instruction ID: 8c5e88e6ba88cec7179d373c96bdd6b26d6a0c9774beb3fce4ea81739288abaa
Opcode Fuzzy Hash: 8a5cba754a401ef5f6879b1d125a5200ab83a1d2dca0884366265e62676bc252
Instruction Fuzzy Hash: C4514E74A00249EFCF22DF64D881AAE7BB5FF46360F158259F9159B2A1D730ED81CB90

Function 00391AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00391AFD
WSAGetLastError.WSOCK32 ref: 00391B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00391B8A
WSAGetLastError.WSOCK32 ref: 00391B94

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a5a74af65ad8bca13743700060711bd483f8711ede269ae16c9c0c3a82006f8d
Instruction ID: 458c8f0edea159dc9144def4ef53030979663f76846a4c1e99428bb7b15993dd
Opcode Fuzzy Hash: a5a74af65ad8bca13743700060711bd483f8711ede269ae16c9c0c3a82006f8d
Instruction Fuzzy Hash: C341B3346402016FEB26AF24C886F6977E5AB48718F54C448F91A9F3D3D772ED82CB90

Function 0034B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e3a87c936f182760bc588f734bf69048b2425a44122078807ed4c156c2751e
Instruction ID: 2e1035e2f702b756de35e39a51e04b4e8f1fc6cb4d0991bf15ca89a3eb397355
Opcode Fuzzy Hash: 83e3a87c936f182760bc588f734bf69048b2425a44122078807ed4c156c2751e
Instruction Fuzzy Hash: BC410475A00304AFD7269F39C842BAAFBE9EF88710F10452AF515DF692D371E9018B80

Function 003856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00385783
GetLastError.KERNEL32(?,00000000), ref: 003857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003857FA

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e46f73324ccac5473e8ee3d1f2cb3f6a1cf08f9304fe01008be200d06d0a997a
Instruction ID: 09375fb1707581051b1659bbdbd855e7831467273d9c4742ad94e455d4fb5ecf
Opcode Fuzzy Hash: e46f73324ccac5473e8ee3d1f2cb3f6a1cf08f9304fe01008be200d06d0a997a
Instruction Fuzzy Hash: 1941EC35600610DFCB16EF15C545A5DBBF6AF49720B198488E84A5F362CB35FD41CB91

Function 0034D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00336D71,00000000,00000000,003382D9,?,003382D9,?,00000001,00336D71,?,00000001,003382D9,003382D9), ref: 0034D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0034D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0034D9AB
__freea.LIBCMT ref: 0034D9B4

Part of subcall function 00343820: RtlAllocateHeap.NTDLL(00000000,?,003E1444,?,0032FDF5,?,?,0031A976,00000010,003E1440,003113FC,?,003113C6,?,00311129), ref: 00343852

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e76213e7689067ec976677bc894ac5573b684458c9de91877763bb86bda19f62
Instruction ID: fc47a13910a52e705bf1c9ce7e4f7de4b62bbe3018472a8aaaa8d7badccc18a0
Opcode Fuzzy Hash: e76213e7689067ec976677bc894ac5573b684458c9de91877763bb86bda19f62
Instruction Fuzzy Hash: BC31B072A1020AABDF269F64DC85EAF7BE9EB41710F064168FC04DB150EB35ED54CB90

Function 003A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 003A5352
GetWindowLongW.USER32(?,000000F0), ref: 003A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003A53A8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c7fc9b7372b066ca1c5554c293d608dc35e4e465ec84b0eac939e0732b089c5b
Instruction ID: 571eaf11976dad5779a9007d438b9bce1febec672e90871f48cb7ad703204e43
Opcode Fuzzy Hash: c7fc9b7372b066ca1c5554c293d608dc35e4e465ec84b0eac939e0732b089c5b
Instruction Fuzzy Hash: 3931E238A55A08FFEF379E14CC45BE87769EB87390F594101FA11962E1C7B09980DB41

Function 0037AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0037ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0037AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0037AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0037ACC6

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 96bed013c543187cab73e63957cba487d028471d6c16ab8bd72e2bf2ef42fa12
Instruction ID: 7c435725a2ff38fcf8d483d63fd67dececff49d21054310b0852a4a869480882
Opcode Fuzzy Hash: 96bed013c543187cab73e63957cba487d028471d6c16ab8bd72e2bf2ef42fa12
Instruction Fuzzy Hash: 64311870A04A1A7FEF37CB658805BFE7AA9ABC5310F04D31AE489D61D1C37C89818792

Function 003A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003A769A
GetWindowRect.USER32(?,?), ref: 003A7710
PtInRect.USER32(?,?,003A8B89), ref: 003A7720
MessageBeep.USER32(00000000), ref: 003A778C

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe172a4339a02630e843ee4b4e9909edb7b327d1f514e9dc95466599985265fd
Instruction ID: 5d35f91e245c635fd9e7b8833e32a70233421cb79f684b2b90ee5217e41b69ba
Opcode Fuzzy Hash: fe172a4339a02630e843ee4b4e9909edb7b327d1f514e9dc95466599985265fd
Instruction Fuzzy Hash: C2415934A09254DFCB13CF58CDD4EA9B7F9FB4A354F1A41A8E8149F2A1D732A941CB90

Function 003A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003A16EB

Part of subcall function 00373A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373A57
Part of subcall function 00373A3D: GetCurrentThreadId.KERNEL32 ref: 00373A5E
Part of subcall function 00373A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003725B3), ref: 00373A65

GetCaretPos.USER32(?), ref: 003A16FF
ClientToScreen.USER32(00000000,?), ref: 003A174C
GetForegroundWindow.USER32 ref: 003A1752

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a44db9df7dbc401a65e0b7fa7d20fee2ebc71533262df94fd75e4c54d4625055
Instruction ID: 5e49ade4ecda3d5ca3e860a9d34560ddb3ea1b8b8f0b6bc8e2b0c06c7082cb8c
Opcode Fuzzy Hash: a44db9df7dbc401a65e0b7fa7d20fee2ebc71533262df94fd75e4c54d4625055
Instruction Fuzzy Hash: B2313D75D00249AFCB05EFAAC8858EEBBFDEF49304B5490A9E415EB211D6319E45CBA0

Function 0037D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0037D501
Process32FirstW.KERNEL32(00000000,?), ref: 0037D50F
Process32NextW.KERNEL32(00000000,?), ref: 0037D52F
CloseHandle.KERNEL32(00000000), ref: 0037D5DC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 86590029cc956823e1e54bd4a5a4802920f90db3a009779dfdf575479bc4f09b
Instruction ID: ac2ed0b9016b96df9e93bc0bc47bac93976dd121be15497e22bfa371f8eeb05a
Opcode Fuzzy Hash: 86590029cc956823e1e54bd4a5a4802920f90db3a009779dfdf575479bc4f09b
Instruction Fuzzy Hash: FA31D6711083009FD316EF54C891AAFBBF8EF9A354F10492DF585971A1EB719988CB92

Function 003A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

GetCursorPos.USER32(?), ref: 003A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00367711,?,?,?,?,?), ref: 003A9016
GetCursorPos.USER32(?), ref: 003A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00367711,?,?,?), ref: 003A9094

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d0abf77ac7f6b23dfa7f76c17bc7d4c8a458558fc89e710cbe20d3e06ca486d2
Instruction ID: faf8750341d4ff5e5ba409866c1c8bdb774c9b001e585fd364e97dc0bafb602d
Opcode Fuzzy Hash: d0abf77ac7f6b23dfa7f76c17bc7d4c8a458558fc89e710cbe20d3e06ca486d2
Instruction Fuzzy Hash: 39219F35600018EFCB27CF95D898FEA7BB9EB4B390F144196F9055B2A1C3319D90DB60

Function 0037D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003ACB68), ref: 0037D2FB
GetLastError.KERNEL32 ref: 0037D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0037D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003ACB68), ref: 0037D376

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0c13fd2504a4985ca8002bf013de70c990ffd22869a705953d24995cc47f91d5
Instruction ID: 4f377cead2149f3216c0fea8dc23e5434af78b2410b75ca8538af53d6fcc6ed9
Opcode Fuzzy Hash: 0c13fd2504a4985ca8002bf013de70c990ffd22869a705953d24995cc47f91d5
Instruction Fuzzy Hash: 7521A3745042019FD726DF24C8819AA77F8EE5A324F108A1DF499C72A1DB35D945CB93

Function 00371571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00371014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037102A
Part of subcall function 00371014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00371036
Part of subcall function 00371014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371045
Part of subcall function 00371014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037104C
Part of subcall function 00371014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00371062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003715BE
_memcmp.LIBVCRUNTIME ref: 003715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00371617
HeapFree.KERNEL32(00000000), ref: 0037161E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d92c8da88d70efb68545de0a987ca9dd51ef9f213d8adcc1ca55514c5f7a0a1c
Instruction ID: e6ba8b653749faede4e3f1dafce13cd3fdce2ef782110cff16d273bb79fd3de8
Opcode Fuzzy Hash: d92c8da88d70efb68545de0a987ca9dd51ef9f213d8adcc1ca55514c5f7a0a1c
Instruction Fuzzy Hash: B421A132E00108EFDF25DFA8C945BEEB7B8EF45354F198459E845AB241E734AA05DF50

Function 003A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003A2840

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3ac1785772aa5072e106e19443a8f6f0bc6ff6a5abe4675ebb9e8844b45bad75
Instruction ID: 4d956cd9d69d8271d7931cfc63e1e8b2f4a16c756483f747c10ace2ba85ab6f9
Opcode Fuzzy Hash: 3ac1785772aa5072e106e19443a8f6f0bc6ff6a5abe4675ebb9e8844b45bad75
Instruction Fuzzy Hash: 4A21C131604511AFD71A9B28C844FAB7B99EF47324F158258F4268B6E2CB75FD82CB90

Function 003778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00378D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?), ref: 00378D8C
Part of subcall function 00378D7D: lstrcpyW.KERNEL32(00000000,?,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00378DB2
Part of subcall function 00378D7D: lstrcmpiW.KERNEL32(00000000,?,0037790A,?,000000FF,?,00378754,00000000,?,0000001C,?,?), ref: 00378DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377923
lstrcpyW.KERNEL32(00000000,?,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00378754,00000000,?,0000001C,?,?,00000000), ref: 00377984

Strings

cdecl, xrefs: 0037797B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5c800ac30e0119304b30d891bb15912657c9b2c73b5c80ef3c904e6cdc7e9b6c
Instruction ID: 3b81e48d2649f6346a732aa3585c4399c33b3ebe4a6d5f43c356a0bf46e2b407
Opcode Fuzzy Hash: 5c800ac30e0119304b30d891bb15912657c9b2c73b5c80ef3c904e6cdc7e9b6c
Instruction Fuzzy Hash: EC11D63A201201AFCB275F34D845E7A77A9FF96350B51802AF94ACB2A4EB359811C791

Function 003A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 003A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 003A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0038B7AD,00000000), ref: 003A7D6B

Part of subcall function 00329BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00329BB2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4676931fab18f8598e3254d63c2b03ecc157acb2a595ff3a2bdd00746df5edf2
Instruction ID: da875cd4594ccb6f0ae7ee9ec18d194f09357cde2c7b01eb4bb796faeda423d1
Opcode Fuzzy Hash: 4676931fab18f8598e3254d63c2b03ecc157acb2a595ff3a2bdd00746df5edf2
Instruction Fuzzy Hash: 2B117231615665AFCB129F28DC84AAA3BA9EF47360F164724F835DB2F0D7309951CB90

Function 003A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003A56BB
_wcslen.LIBCMT ref: 003A56CD
_wcslen.LIBCMT ref: 003A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 003A5816

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0ecf3e7949ee6eead6f5f6641daaf1d92a3b49eac54e2ad110ed7b84324c9d93
Instruction ID: dbedf699028755c94d2e363153b9306536f132664ea103ffec1123b175b9afa4
Opcode Fuzzy Hash: 0ecf3e7949ee6eead6f5f6641daaf1d92a3b49eac54e2ad110ed7b84324c9d93
Instruction Fuzzy Hash: 8F11D37560461896DB22DF61CC85AEE77BCEF16760F10412AF915DA091EB70DA84CBA0

Function 00341D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d76eb0cf09d18b317f47bfdebaa2714b31542fc2f7733b8b1d1396f031d7a61
Instruction ID: 79a33515a39e1f39b392e9098c3e04736671a8085e20c2a5174503ca37b94ffd
Opcode Fuzzy Hash: 4d76eb0cf09d18b317f47bfdebaa2714b31542fc2f7733b8b1d1396f031d7a61
Instruction Fuzzy Hash: 300178F2A09A163EF6232AB86CC0F77669DDF423B8F351325B531A91D2DB60AC804160

Function 00371A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00371A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00371A8A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 95e67817d1d967c756694164f7dff96358d0431106fcc99ee43ec58a62916ea5
Instruction ID: aeee874bf84c4c0f006da8aad975f4b6fdac0f43a1fa2f431b30976001b16866
Opcode Fuzzy Hash: 95e67817d1d967c756694164f7dff96358d0431106fcc99ee43ec58a62916ea5
Instruction Fuzzy Hash: 7E11393AD01219FFEB11DBA8CD85FADFB78EB08750F204091EA04B7290D671AE50DB94

Function 0037E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0037E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0037E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0037E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0037E24D

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b166a336593d97a812356fd9cc3be7d69ea906aed29c6c8fd957340f14e0c935
Instruction ID: a082fde6388a170da44a61c0ccc0fdb4c91d1fad9cbdbe92408024ec4a0b2963
Opcode Fuzzy Hash: b166a336593d97a812356fd9cc3be7d69ea906aed29c6c8fd957340f14e0c935
Instruction Fuzzy Hash: 67110876A04258BBC723ABA8DC45A9F7FACAB45310F008755F828D73D1D678C90087A0

Function 0033D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0033CFF9,00000000,00000004,00000000), ref: 0033D218
GetLastError.KERNEL32 ref: 0033D224
__dosmaperr.LIBCMT ref: 0033D22B
ResumeThread.KERNEL32(00000000), ref: 0033D249

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 65e3e3e88a1425bfc975daf6ebc557255de2756f2768158b3f071255f432d4a8
Instruction ID: 1a9c7aa7562f99ddad2b6b2269ca83a4102345b294a7a7d49831154ac38812b0
Opcode Fuzzy Hash: 65e3e3e88a1425bfc975daf6ebc557255de2756f2768158b3f071255f432d4a8
Instruction Fuzzy Hash: 7701C036815208BBCB235BA5EC89AAB7A6DDF82731F110619F925DA1D0CF718941C7A0

Function 0031600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
GetStockObject.GDI32(00000011), ref: 00316060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d1ce2566ff8a97a85f4ef75cf9a902f0adcf2d6f456c50e2aab575316f79e2d9
Instruction ID: 0fa7d1fd37074e72e53abf128a241adc4a9c478f5d78601db0d7e951ddb01c24
Opcode Fuzzy Hash: d1ce2566ff8a97a85f4ef75cf9a902f0adcf2d6f456c50e2aab575316f79e2d9
Instruction Fuzzy Hash: 1111AD72505508BFEF1B8FA48C45EEABBADEF0D3A4F050205FA0452120C7329CA0DBA0

Function 00333B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00333B56

Part of subcall function 00333AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00333AD2
Part of subcall function 00333AA3: ___AdjustPointer.LIBCMT ref: 00333AED

_UnwindNestedFrames.LIBCMT ref: 00333B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00333B7C
CallCatchBlock.LIBVCRUNTIME ref: 00333BA4

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d0a0907cc02d0c4d25cec1de61a5fcd59a876b82f02520df630679ef24918a28
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6F012932100148BBDF125F95CC82EEB7B69EF48754F058014FE48AA121C736E961DBA0

Function 00343073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003113C6,00000000,00000000,?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue), ref: 003430A5
GetLastError.KERNEL32(?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue,003B2290,FlsSetValue,00000000,00000364,?,00342E46), ref: 003430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0034301A,003113C6,00000000,00000000,00000000,?,0034328B,00000006,FlsSetValue,003B2290,FlsSetValue,00000000), ref: 003430BF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1449ca3f7aa9ffde94bb1bfecff8cc8c765ffb60d01b4f6b61247ac5e96ee055
Instruction ID: f1c68ec1c1c33af3825efebecc4a4e2938d21101462dde65e9962ed8f6d39937
Opcode Fuzzy Hash: 1449ca3f7aa9ffde94bb1bfecff8cc8c765ffb60d01b4f6b61247ac5e96ee055
Instruction Fuzzy Hash: 7001DB36712222ABCB334B799C45A677BDCAF46B61F210720F907EB180D721E901C6E0

Function 00377464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0037747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00377497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003774CA

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dce08558de9cb37a1d6a380f460a7e1a3add72fc8cb015985d2a327c9259f862
Instruction ID: 34e12762bca4bee63b7012f6af252abbfb029cb089b13a73df19f52883d07d54
Opcode Fuzzy Hash: dce08558de9cb37a1d6a380f460a7e1a3add72fc8cb015985d2a327c9259f862
Instruction Fuzzy Hash: AD11ADB1219310ABE7328F26DC08FA27FFCEB04B00F10C569A61AD6591D7B4E904DB60

Function 0037B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0037ACD3,?,00008000), ref: 0037B126

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d08aa7c7b11a1d7e391600b00cd3658163e64db307090a4d803936910d1ae5de
Instruction ID: 776528eb002fb2f94b93697b95f30c379be7c2cf804c976fcb8fcbbedb9ccbb7
Opcode Fuzzy Hash: d08aa7c7b11a1d7e391600b00cd3658163e64db307090a4d803936910d1ae5de
Instruction Fuzzy Hash: 40117930E01528E7CF22AFA4E9697EEFB78FF0A311F018086D985B2181CB3456518B51

Function 003A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003A7E33
ScreenToClient.USER32(?,?), ref: 003A7E4B
ScreenToClient.USER32(?,?), ref: 003A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003A7E8A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ca4e5cd309224f178ca422da180f6668ad0e3658458e9bb3793e38deadbfcd02
Instruction ID: 0fc8a662cb99164a9d21ade66ffe6f6d37c7b3d22b7b0b7f4f332064ffc4bc4a
Opcode Fuzzy Hash: ca4e5cd309224f178ca422da180f6668ad0e3658458e9bb3793e38deadbfcd02
Instruction Fuzzy Hash: 911123B9D0024AAFDB41DF98C884AEEBBF9FF09310F509066E955E3210D735AA55CF90

Function 00372DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00372DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00372DD6
GetCurrentThreadId.KERNEL32 ref: 00372DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00372DE4

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 93b1a2323f0446390bb92b155b6496c5a0321cc3f055427606bef877b12955f8
Instruction ID: 5d546bb6ca63d150bff327d79181530a83cb19643ef6d6b260794ebc9869bb2c
Opcode Fuzzy Hash: 93b1a2323f0446390bb92b155b6496c5a0321cc3f055427606bef877b12955f8
Instruction Fuzzy Hash: 88E09271611224BBD7325B729C0DFEB3E6CFF43BA1F045015F109E10909AA8C840C6B0

Function 003A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00329639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00329693
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296A2
Part of subcall function 00329639: BeginPath.GDI32(?), ref: 003296B9
Part of subcall function 00329639: SelectObject.GDI32(?,00000000), ref: 003296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003A8887
LineTo.GDI32(?,?,?), ref: 003A8894
EndPath.GDI32(?), ref: 003A88A4
StrokePath.GDI32(?), ref: 003A88B2

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e54a07d54fae746192562800350c1ea6eb03141f12a28f29b6a561ee6f243e65
Instruction ID: 8b468b4e503fddaa528f2e405dfc64a02d2c01ba0de205e027cc42fe00cb70fe
Opcode Fuzzy Hash: e54a07d54fae746192562800350c1ea6eb03141f12a28f29b6a561ee6f243e65
Instruction Fuzzy Hash: 4CF03A36055258BADB135F94AC0DFCE3A5DAF06310F448100FA11650E2CB795511CBE9

Function 003298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003298CC
SetTextColor.GDI32(?,?), ref: 003298D6
SetBkMode.GDI32(?,00000001), ref: 003298E9
GetStockObject.GDI32(00000005), ref: 003298F1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b7ea1d7e88f22e3abf69711a9dadec8723f2cb6057f8f0906eb86c9e5551a85b
Instruction ID: c87e50e18909352fe069ca6ac1f22121ccc0c377ef18c77d6e7c3fb7ad2d12b6
Opcode Fuzzy Hash: b7ea1d7e88f22e3abf69711a9dadec8723f2cb6057f8f0906eb86c9e5551a85b
Instruction Fuzzy Hash: DCE06D31254280AADB235B75BC0DBE83F64EB13336F04C21AF6FA980E1C77246819B10

Function 0037162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00371634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003711D9), ref: 0037163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003711D9), ref: 00371648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003711D9), ref: 0037164F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 817c30930a596e14e8f866162254906faff255a66f5b4b617f114c6ef4da3913
Instruction ID: 2d185b5c4ede50781c67162caca9d59b326cb67718d64cb4e6edbde63c6982ae
Opcode Fuzzy Hash: 817c30930a596e14e8f866162254906faff255a66f5b4b617f114c6ef4da3913
Instruction Fuzzy Hash: C0E08C36612211EBDB311FA4AE0DB873BBCBF46792F158808F649C9080EA3C8540CB60

Function 0036D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036D858
GetDC.USER32(00000000), ref: 0036D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036D882
ReleaseDC.USER32(?), ref: 0036D8A3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33276dd5b06eb3fbacc7d17c5d2c20090b6c6bb8debf7a4945e3d666258a0bfe
Instruction ID: eddb148787233ff3b94074f8e4db63c8b719e6b5c56fb667ed28b9c2c4440a03
Opcode Fuzzy Hash: 33276dd5b06eb3fbacc7d17c5d2c20090b6c6bb8debf7a4945e3d666258a0bfe
Instruction Fuzzy Hash: 66E09AB5910215DFCB43DFA0D90C66DBBB9FB09711F14A459E846E7360CB389941EF50

Function 0036D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0036D86C
GetDC.USER32(00000000), ref: 0036D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0036D882
ReleaseDC.USER32(?), ref: 0036D8A3

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6bcdd6bcc80b053cafe395061668b8e23d8c8b98178767d43f297a9cdd788573
Instruction ID: 396c21bc46ccff5a9d7c7220ba4bec0c02116c8712ceb19eddd7ebbbee9bcc49
Opcode Fuzzy Hash: 6bcdd6bcc80b053cafe395061668b8e23d8c8b98178767d43f297a9cdd788573
Instruction Fuzzy Hash: A1E09A75810204DFCB52DFA0D80866DBBB9BB09711F14A449E946E7360CB389941DF50

Function 00384D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00317620: _wcslen.LIBCMT ref: 00317625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00384ED4

Strings

LPT, xrefs: 00384DFB
*, xrefs: 00384E10

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 3d2abe023baae79da7f938850f5153937d5df6cc8fc87b4514c3476d4c299131
Instruction ID: 844e644841dad6d7de41e2ef1e11a5f48a8127e78bc44b108e8e5e284529745a
Opcode Fuzzy Hash: 3d2abe023baae79da7f938850f5153937d5df6cc8fc87b4514c3476d4c299131
Instruction Fuzzy Hash: 53917F75A002059FCB16EF58C484EAABBF5AF48304F1980DDE50A9F762D735ED85CB90

Function 0033E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0033E30D

Strings

pow, xrefs: 0033E2E5, 0033E302

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c6b887004516370f3d620c94057dc207a5b0550b80f509eb91916f7121ef0912
Instruction ID: 6ae97033c600879e40a22bb6c8c8f4c3b766efb732d69e56b0be5428e8fa1d37
Opcode Fuzzy Hash: c6b887004516370f3d620c94057dc207a5b0550b80f509eb91916f7121ef0912
Instruction Fuzzy Hash: C2516B61E1C20296CB177724CD813BA3BECEF40750F358F68E0D58A2E9EB359CD59A46

Function 00397771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0036569E,00000000,?,003ACC08,?,00000000,00000000), ref: 003978DD

Part of subcall function 00316B57: _wcslen.LIBCMT ref: 00316B6A

CharUpperBuffW.USER32(0036569E,00000000,?,003ACC08,00000000,?,00000000,00000000), ref: 0039783B

Strings

<s=, xrefs: 003977C8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s=
API String ID: 3544283678-2387256258
Opcode ID: e8827c7bb920c313158360832ea4faa9073f24a6a9bdcb6dd9a0377ad6487921
Instruction ID: 7044d8c08197d39a83243bfcd913b8eb902497b12524501d958e916c6b1b993f
Opcode Fuzzy Hash: e8827c7bb920c313158360832ea4faa9073f24a6a9bdcb6dd9a0377ad6487921
Instruction Fuzzy Hash: CD613076924119AACF0BEBE4CC92DFDB378FF18700B544526F542AB191EF305A85DBA0

Function 0032E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0032E1B1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 77ff8aa927f4041a6190fde7d46b4c0599a7ddeefa172f9dcaf295c360633459
Instruction ID: b3d70faf8e85305eda5fb048e2ddd8504c5efba8267a44e6a1c6acdf7eb32973
Opcode Fuzzy Hash: 77ff8aa927f4041a6190fde7d46b4c0599a7ddeefa172f9dcaf295c360633459
Instruction Fuzzy Hash: 84514139500316DFDB1BEF28D082AFA7BA8EF16310F248455E8929B2C4D7349D46CBA0

Function 0032F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0032F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0032F2BB

Strings

@, xrefs: 0032F2AF

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a6bcc862bcb100fc9d4a8264d0e8311f06080f4612deba72a1e3444e33931e38
Instruction ID: 07f7a770b77fcdb16c53e67786acb2439ad3c9c58f12d5e483c3a6d244aead2b
Opcode Fuzzy Hash: a6bcc862bcb100fc9d4a8264d0e8311f06080f4612deba72a1e3444e33931e38
Instruction Fuzzy Hash: 5B5164714187449BD321AF10DC86BABBBF8FB89304F81884CF199860A5EB309569CB66

Function 00395745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003957E0
_wcslen.LIBCMT ref: 003957EC

Strings

CALLARGARRAY, xrefs: 003957E6, 003957EB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6bdeeb70b6020d88e625a1f130b5b4bcadbd474fd2702195d2cc4bc09681d7e8
Instruction ID: 27337fd282d5f65fcc735b02bdb500b1ea5bb2dd96770ebf6d3a77f0520599c3
Opcode Fuzzy Hash: 6bdeeb70b6020d88e625a1f130b5b4bcadbd474fd2702195d2cc4bc09681d7e8
Instruction Fuzzy Hash: 1F41BE31A042199FCF16DFA9C8869FEBBF5FF59320F118069E505AB251E7309D81CB90

Function 0038D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0038D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0038D13A

Strings

|, xrefs: 0038D10B

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 26207da17f2e274c997069650287da0d0d932f52a974eac6388a69518d30d2a1
Instruction ID: c1d6c8a6864070db6266beeb77d334b46c8c666571d08303d0f7422b6ef18f9b
Opcode Fuzzy Hash: 26207da17f2e274c997069650287da0d0d932f52a974eac6388a69518d30d2a1
Instruction Fuzzy Hash: 71313071D00209ABCF16EFA4CD85EEE7FB9FF08310F000159F815AA166DB31AA56CB60

Function 003A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003A365C

Strings

static, xrefs: 003A35BC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8b7753e363450f0cd0bb9106cc3922ced62720134e15f86556f1fc15848418e0
Instruction ID: e1d7c2e9c02fb9c17d72b52bad76688da8cba4cbdd7295274d6ed2b8cd238211
Opcode Fuzzy Hash: 8b7753e363450f0cd0bb9106cc3922ced62720134e15f86556f1fc15848418e0
Instruction Fuzzy Hash: 2731BE71510204AEDB16DF68DC80EFB73A9FF8A720F019619F8A597290DA35ED81C760

Function 003A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A4634

Strings

', xrefs: 003A458E

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 01a7433e7d03b52cd9f3f79e25233268c23578fb8e3052d094badb027c8fe98c
Instruction ID: 7f208503219c55e4dd94c54c49ababdeeb0d2b323be66e52f7295dcfcd708402
Opcode Fuzzy Hash: 01a7433e7d03b52cd9f3f79e25233268c23578fb8e3052d094badb027c8fe98c
Instruction Fuzzy Hash: E5311974E013099FDB15CF69C990BDABBB9FF8A300F154169E905AB391D7B0A941CF90

Function 003A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A3287

Strings

Combobox, xrefs: 003A3249

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 77c41cbfe04eb230adca74c6940566de9da4f6b3ae63316d49106baaf13e7457
Instruction ID: 951e4670d100329e1725b65f74e4d6706065387923a613a561c987b07c306800
Opcode Fuzzy Hash: 77c41cbfe04eb230adca74c6940566de9da4f6b3ae63316d49106baaf13e7457
Instruction Fuzzy Hash: 3511B2713002087FEF269F94DC81FFB7B6EEB9A3A4F114525F9189B290D6319D5187A0

Function 003A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0031600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0031604C
Part of subcall function 0031600E: GetStockObject.GDI32(00000011), ref: 00316060
Part of subcall function 0031600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031606A

GetWindowRect.USER32(00000000,?), ref: 003A377A
GetSysColor.USER32(00000012), ref: 003A3794

Strings

static, xrefs: 003A3757

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 197e174f8e7e4ce33ff6e0b0bf291653af6bb57c6a777832024f8ce88b02878a
Instruction ID: 3429a2cad4768a2b6dd4a825d93fa9cd8d4b6d2f08259cbc188e021a8e24159a
Opcode Fuzzy Hash: 197e174f8e7e4ce33ff6e0b0bf291653af6bb57c6a777832024f8ce88b02878a
Instruction Fuzzy Hash: 9E113AB2610209AFDF02DFA8CC46EFA7BF8FB0A354F015514F955E2250E735E8519B60

Function 0038CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0038CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0038CDA6

Strings

<local>, xrefs: 0038CD66

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4ab0d960563262158a80f6071461ad9098b23cc05f342850d1866abbfd848f8a
Instruction ID: 427667ba305089b4e49a94f891015f2113cf8b9bdab1d13457a9e895c07e0b09
Opcode Fuzzy Hash: 4ab0d960563262158a80f6071461ad9098b23cc05f342850d1866abbfd848f8a
Instruction Fuzzy Hash: 2B110271221731BED73A7B668C49EE7BEACEF127A4F00526AB10983080D7709849D7F0

Function 003A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003A34BA

Strings

edit, xrefs: 003A348F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c27140360aa30d0143f8100bf910fd4d004fa3b6530a32d426c16d20cc890c01
Instruction ID: edafe226dec5e061c7d310947f4c8e11431fc2790d19875c37970e5ef6db662a
Opcode Fuzzy Hash: c27140360aa30d0143f8100bf910fd4d004fa3b6530a32d426c16d20cc890c01
Instruction Fuzzy Hash: 23116A71500208ABEB238E65DC84AFB3B6EEB1A374F514324F961971E0C775DC919B60

Function 00376C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

CharUpperBuffW.USER32(?,?,?), ref: 00376CB6
_wcslen.LIBCMT ref: 00376CC2

Strings

STOP, xrefs: 00376CBC, 00376CC1

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4ddade0cca7793d9ea5a4173e299d7a04e842c6c9a426a554a81519ab6b2f0ee
Instruction ID: 8b160b0f76e45f15da6b2c6460745d74b436e66a401d4ee2c4a44160924e27eb
Opcode Fuzzy Hash: 4ddade0cca7793d9ea5a4173e299d7a04e842c6c9a426a554a81519ab6b2f0ee
Instruction Fuzzy Hash: 86010432610D2B8ACB339FBDDCA29BF33A8EA65710B124535E85696194EB39D940C650

Function 00371CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00371D4C

Strings

ListBox, xrefs: 00371D16
ComboBox, xrefs: 00371CEB

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a78fda800a6376a82015633a316497445240f4c2ffc1dad8b89d262e4edebd11
Instruction ID: 4234606ced299d4de7863691f70df2a4b822610225963a90a59204a3204872cf
Opcode Fuzzy Hash: a78fda800a6376a82015633a316497445240f4c2ffc1dad8b89d262e4edebd11
Instruction Fuzzy Hash: 7401DD726511146BCB2BFBA4CC51EFE7368EB46390B04451BF8665B3D1EA3459089A60

Function 00371BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00371C46

Strings

ListBox, xrefs: 00371C10
ComboBox, xrefs: 00371BE5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f8487a13fd3b63f4651d0cf3a29cb3f5ec77764bd493d63b7047320585a3e6ec
Instruction ID: fb476c8103eab73dbcc1cbda4aa25f8e9b6c58552037ad4e0a69a83121a3903b
Opcode Fuzzy Hash: f8487a13fd3b63f4651d0cf3a29cb3f5ec77764bd493d63b7047320585a3e6ec
Instruction Fuzzy Hash: 4A01AC7668110566CB1BE7D4C952AFF77AC9B15340F244016E94A6B2C1EA249F0896B1

Function 00371C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00371CC8

Strings

ListBox, xrefs: 00371C94
ComboBox, xrefs: 00371C69

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ee889c068454bc7dcfbe320c3ceaeee0770c2e3b8f99069605c7f4a28b06237c
Instruction ID: 1722808a0baa0952adb41e35e87482a299aa82ca3e11e0caecadebd26f3bfb7e
Opcode Fuzzy Hash: ee889c068454bc7dcfbe320c3ceaeee0770c2e3b8f99069605c7f4a28b06237c
Instruction Fuzzy Hash: 2501DB7268011567CB27EBD4CA52BFE73AC9B15340F144016B84677281EA249F08D6B1

Function 0032A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0032A529

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Strings

3y6, xrefs: 0032A545, 0032A54D, 0032A552
,%>, xrefs: 0032A509

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%>$3y6
API String ID: 2551934079-3829082738
Opcode ID: 3739f9581d65ad6361b265ee83cc12061b4284390368f0d5ad460fd36fb28238
Instruction ID: 2ba7b675abb9cdc3a8e984e11dfe919c7d251e5d8bf159f3237013d1aecf293b
Opcode Fuzzy Hash: 3739f9581d65ad6361b265ee83cc12061b4284390368f0d5ad460fd36fb28238
Instruction Fuzzy Hash: 36012B32700A7087C51BF769E867BAFB368DB0B710F500555F9425F2C2DE509D418AD7

Function 00371D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00319CB3: _wcslen.LIBCMT ref: 00319CBD

Part of subcall function 00373CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00373CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00371DD3

Strings

ListBox, xrefs: 00371DA0
ComboBox, xrefs: 00371D75

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cd1efb4c903273917b5c9f9e53b95d1978cafffe274493f6b1f767e857b9328c
Instruction ID: 24c92e0782feb16df3743458c2ab268ec9cc8ffee7f67bd62d2322165ccc50a7
Opcode Fuzzy Hash: cd1efb4c903273917b5c9f9e53b95d1978cafffe274493f6b1f767e857b9328c
Instruction Fuzzy Hash: 31F0CD72B5121566D72BF7A8CC92FFF777CAB06350F040917F866772C1DA645A0886A0

Function 003A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003E3018,003E305C), ref: 003A81BF
CloseHandle.KERNEL32 ref: 003A81D1

Strings

\0>, xrefs: 003A818A

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0>
API String ID: 3712363035-2227185054
Opcode ID: e6c1b246d085cd1d23925d2bb624d14dd4b4d2f383425b455794cad5c7d29460
Instruction ID: 2965a95ed818c26f8ba9616ed938e7ac7113d91c972cbdb21ca6e1a7145b4ea5
Opcode Fuzzy Hash: e6c1b246d085cd1d23925d2bb624d14dd4b4d2f383425b455794cad5c7d29460
Instruction Fuzzy Hash: B0F082F5640350BEE732A761AC89FB73A9CDB05760F000560BB09DB1E2D6798E4083F8

Function 0039747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00397493
_wcslen.LIBCMT ref: 003974B9

Strings

3, 3, 16, 1, xrefs: 00397483

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a5adc0f1ef93c08817e3edcc807b77aa19f13f3737761e207c577886bc9f7cce
Instruction ID: 9da83bd0f056979c3418e878b09677e3d5ee2a19ae3be2540093711835239315
Opcode Fuzzy Hash: a5adc0f1ef93c08817e3edcc807b77aa19f13f3737761e207c577886bc9f7cce
Instruction Fuzzy Hash: D2E02B06224220109733137BACC5BBF5789CFC9760B14182BF985C62A7EB949D9193A0

Function 00370B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00370B23

Strings

Error allocating memory., xrefs: 00370B1C
AutoIt, xrefs: 00370B17

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f367c6234421c9fb7c6b7e192425e9eba33f6e659925314253e8f8747784cb1b
Instruction ID: b16d4f131ce59360347b83e655da9cc3e8bfc27fd6daf2888ad16602beea3469
Opcode Fuzzy Hash: f367c6234421c9fb7c6b7e192425e9eba33f6e659925314253e8f8747784cb1b
Instruction Fuzzy Hash: C8E048322543186AD21737947C43FC97A94CF06F61F10446BF758595C38FE2659046A9

Function 00330D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0032F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00330D71,?,?,?,0031100A), ref: 0032F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0031100A), ref: 00330D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0031100A), ref: 00330D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00330D7F

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d4b767019a4e42309bc62c63a120b32c2ec1342a4978a7cdadb5db27b08fe7b8
Instruction ID: 6253dba442f01b44780c261a7375a589f6d4ddb0c3eff29f22b8fe2f0519022a
Opcode Fuzzy Hash: d4b767019a4e42309bc62c63a120b32c2ec1342a4978a7cdadb5db27b08fe7b8
Instruction Fuzzy Hash: 33E06D742003518FD7369FBCE5947867BE4AB05740F004A2DE482CA651DBB0E4848B91

Function 0032E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0032E3D5

Strings

8%>, xrefs: 0032E3CA
0%>, xrefs: 0032E3B5

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%>$8%>
API String ID: 1385522511-1355131203
Opcode ID: 29c2c72bddf6232b36f452e501d6f6abc273d356e7bc3ae61eb6f7fb8d11a490
Instruction ID: ecfcc0265fb13a1e7d7d8bd42b043ee5daa73f4e0057216649f98e046f181adf
Opcode Fuzzy Hash: 29c2c72bddf6232b36f452e501d6f6abc273d356e7bc3ae61eb6f7fb8d11a490
Instruction Fuzzy Hash: 67E08639414AB4CBC61BD718BAE6E8EB35DAB07321F5113A9E2128F1D5DBB038418655

Function 00383017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0038302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00383044

Strings

aut, xrefs: 00383038

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0e1dab51d63925e6c53ee5b032d1ccb50fe973f72e1e4b20491ff91e9b4ba5c5
Instruction ID: d74eb22864600d219924ffbc1ec18155b3bcf02c1f9ddbcd09cb7356496c6b2f
Opcode Fuzzy Hash: 0e1dab51d63925e6c53ee5b032d1ccb50fe973f72e1e4b20491ff91e9b4ba5c5
Instruction Fuzzy Hash: 3CD05EB250032867DE20A7A4AD0EFCB3B6CDB05750F0006A2B6A6E2091DBB09984CAD0

Function 0036D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0036D220

Strings

%.3d, xrefs: 0036D22B
X64, xrefs: 0036D2A8

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: efdb73e6acc205b2d66665f26b00c653295bdf4ab694896b9c698268f12fb39a
Instruction ID: 95622d37c0538d05a35365c1cc101003bad9314ae444f29d57f3518035cbd93d
Opcode Fuzzy Hash: efdb73e6acc205b2d66665f26b00c653295bdf4ab694896b9c698268f12fb39a
Instruction Fuzzy Hash: EFD012B1D08118E9CB9296D0DC599B9B37CBB08301F50C862F80691444E724C5086761

Function 003A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A233F

Part of subcall function 0037E97B: Sleep.KERNELBASE ref: 0037E9F3

Strings

Shell_TrayWnd, xrefs: 003A2325

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 03a787e2563892f3c1fcc57444e98f8ea05388d38daf4bfb97dabc3923b7477b
Instruction ID: 53b95ea4c7b3c3a481b4db9aea1863cf14f17c749c07b5261f6cab41464a2cab
Opcode Fuzzy Hash: 03a787e2563892f3c1fcc57444e98f8ea05388d38daf4bfb97dabc3923b7477b
Instruction Fuzzy Hash: D4D012377A4310B7E675B771EC0FFC6BA189B56B10F005916B759AA1E0C9F4A801CA54

Function 003A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A236C
PostMessageW.USER32(00000000), ref: 003A2373

Part of subcall function 0037E97B: Sleep.KERNELBASE ref: 0037E9F3

Strings

Shell_TrayWnd, xrefs: 003A2365

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b471a5bc69f60ffee3df71523130e273d118c4caacf0a8a5316f4567bbf62a73
Instruction ID: bf6e5d7b9a2dd4ae0aa679c09bb9c0e6ce16832336e4547e1d3cd3881ed64526
Opcode Fuzzy Hash: b471a5bc69f60ffee3df71523130e273d118c4caacf0a8a5316f4567bbf62a73
Instruction Fuzzy Hash: 32D0C9327913107AE666A771AC0FFC6A6189B56B10F005916B755AA1E0C9A4A8018A58

Function 0034BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0034BE93
GetLastError.KERNEL32 ref: 0034BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0034BEFC

Memory Dump Source

Source File: 00000000.00000002.2107360855.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true

Associated: 00000000.00000002.2107337356.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107416474.00000000003D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107457743.00000000003DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107474048.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_310000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6b681d714f90ae16d88f2310488edf98288e905e57b0c1ab1b9c8480db1fedf4
Instruction ID: 49efda458c4090d6d9aa8f1129e2c750a6f8380e76107b09e8ac80eae53fb7e9
Opcode Fuzzy Hash: 6b681d714f90ae16d88f2310488edf98288e905e57b0c1ab1b9c8480db1fedf4
Instruction Fuzzy Hash: 4A41B434604206AFCF238F65DC44AAAFBE9AF42310F154169F95D9F1A1DB30ED45DB60

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=397232016&timestamp=1727886719816 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=TZk4XzcMrSgPZBmyku2qrETY-TNClrmKeW6HwmUFpBwq13m4Dn1uZsXV5AoQYg2ljyDcw9wh7oyEIJ71wxeag3sstc3SKVCg7aKLutfa5j-9mfY7kqi7DcOvmZPxVewNn9D-QOFScLWo1dYU1WylpCXAGFIvl3fdUqxfuu8ETHH1jsAojw
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=W6tKsDOdPEcbgx8&MD=ZTlbRr74 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=W6tKsDOdPEcbgx8&MD=ZTlbRr74 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\5715a8b7-d253-44c6-84cc-93a173bad1dd (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\7aeca451-4856-49d0-bb18-db1e3e273720.tmp

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Windows Analysis Report
file.exe

Function 003142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 003142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00352BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0039A67C Relevance: 6.2, APIs: 4, Instructions: 175
processCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre