Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524393
MD5:	6e7b2f176845b35ec3eaa5ea9e302a36
SHA1:	ade7b4177211189302165de166b7bf949acb9073
SHA256:	c242d6a3ae3ae6dde989a2792fbccf96b6a66ad25a62a14bf1099fb6a3e916be
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1764 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6E7B2F176845B35EC3EAA5EA9E302A36)

taskkill.exe (PID: 6316 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 2220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1764	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

String found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_89.6.dr	String found in binary or memory: https://accounts.google.com
Source: chromecache_89.6.dr	String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000003.2173307942.0000000001033000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2173845229.0000000001035000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173204404.0000000001033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_91.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_89.6.dr	String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_89.6.dr	String found in binary or memory: https://families.google.com/intl/
Source: chromecache_91.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_91.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://g.co/recover
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_89.6.dr	String found in binary or memory: https://play.google/intl/
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_89.6.dr	String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_91.6.dr	String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_89.6.dr	String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_91.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_89.6.dr	String found in binary or memory: https://www.google.com
Source: chromecache_89.6.dr	String found in binary or memory: https://www.google.com/intl/
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_91.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_89.6.dr	String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_89.6.dr	String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: file.exe, 00000000.00000003.2173307942.0000000001033000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2173845229.0000000001035000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173204404.0000000001033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accoun
Source: file.exe, 00000000.00000002.2173765530.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdCw
Source: chromecache_89.6.dr	String found in binary or memory: https://youtube.com/t/terms?gl=

Source: unknown	Network traffic detected: HTTP traffic on port 50575 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50636 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50613
Source: unknown	Network traffic detected: HTTP traffic on port 50581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50575
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50574
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50610
Source: unknown	Network traffic detected: HTTP traffic on port 50613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50622 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50623
Source: unknown	Network traffic detected: HTTP traffic on port 50635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50610 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50622
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50625
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50624
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50627
Source: unknown	Network traffic detected: HTTP traffic on port 50574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50626
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50629
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50581
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50586
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50621
Source: unknown	Network traffic detected: HTTP traffic on port 50631 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50629 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50621 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50609 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50633
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50636
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50635
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50638
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50637
Source: unknown	Network traffic detected: HTTP traffic on port 50638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50630
Source: unknown	Network traffic detected: HTTP traffic on port 50630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50631
Source: unknown	Network traffic detected: HTTP traffic on port 50586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50600
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50602
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50604
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50562
Source: unknown	Network traffic detected: HTTP traffic on port 50633 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50623 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50609
Source: unknown	Network traffic detected: HTTP traffic on port 50627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50606 -> 443

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50574 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:50582 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:50586 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50602 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:50613 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50622 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50626 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:50627 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50630 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50635 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50638 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0086EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0086ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0086EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0085AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00889576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00889576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2113585817.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d5956902-7
Source: file.exe, 00000000.00000000.2113585817.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_85453b45-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7a8ceed1-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e4641522-e

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0085D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00851201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00851201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0085E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FCAF0	0_2_007FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F8060	0_2_007F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00862046	0_2_00862046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00858298	0_2_00858298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082E4FF	0_2_0082E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082676B	0_2_0082676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00884873	0_2_00884873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CAA0	0_2_0081CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CC39	0_2_0080CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00826DD9	0_2_00826DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080B119	0_2_0080B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F91C0	0_2_007F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00811394	0_2_00811394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081781B	0_2_0081781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F7920	0_2_007F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080997D	0_2_0080997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00817A4A	0_2_00817A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00817CA7	0_2_00817CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00829EEE	0_2_00829EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087BE44	0_2_0087BE44

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00810A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0080F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007F9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@38/30@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008637B5 GetLastError,FormatMessageW,

0_2_008637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008510BF AdjustTokenPrivileges,CloseHandle,		0_2_008510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0087A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0086648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007F42A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00810A76 push ecx; ret

0_2_00810A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0080F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00881C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96811

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0085DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082C2A2 FindFirstFileExW,	0_2_0082C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008668EE FindFirstFileW,FindClose,	0_2_008668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0086698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0085D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0085D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00869642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00869642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0086979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00869B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00869B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00865C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00865C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96586

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086EAA2 BlockInput,

0_2_0086EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00822622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00822622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00814CE8 mov eax, dword ptr fs:[00000030h]

0_2_00814CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00850B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00850B62

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00822622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00822622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0081083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008109D5 SetUnhandledExceptionFilter,	0_2_008109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00810C21

Source: C:\Users\user\Desktop\file.exe

0_2_00851201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00832BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00832BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0080F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0080F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008722DA

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00850B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00851663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00851663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00810698 cpuid

0_2_00810698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00868195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00868195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D27A GetUserNameW,

0_2_0084D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0082B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1764, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1764, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00871204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00871806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	22 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	16%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://play.google/intl/	0%	URL Reputation	safe
https://families.google.com/intl/	0%	URL Reputation	safe
https://policies.google.com/technologies/location-data	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://policies.google.com/privacy/google-partners	0%	URL Reputation	safe
https://policies.google.com/terms/service-specific	0%	URL Reputation	safe
https://g.co/recover	0%	URL Reputation	safe
https://policies.google.com/privacy/additional	0%	URL Reputation	safe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	0%	URL Reputation	safe
https://policies.google.com/technologies/cookies	0%	URL Reputation	safe
https://policies.google.com/terms	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe
https://support.google.com/accounts?hl=	0%	URL Reputation	safe
https://policies.google.com/terms/location	0%	URL Reputation	safe
https://policies.google.com/privacy	0%	URL Reputation	safe
https://support.google.com/accounts?p=new-si-ui	0%	URL Reputation	safe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.142	true	false	unknown
www3.l.google.com	142.250.185.206	true	false	unknown
play.google.com	142.250.185.110	true	false	unknown
www.google.com	142.250.185.132	true	false	unknown
youtube.com	142.250.181.238	true	false	unknown
accounts.youtube.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	unknown
https://www.google.com/favicon.ico	false	unknown
https://play.google.com/log?hasfast=true&authuser=0&format=json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google/intl/	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://families.google.com/intl/	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://youtube.com/t/terms?gl=	chromecache_89.6.dr	false		unknown
https://policies.google.com/technologies/location-data	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://www.google.com/intl/	chromecache_89.6.dr	false		unknown
https://youtube.com/account?=https://accoun	file.exe, 00000000.00000003.2173307942.0000000001033000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2173845229.0000000001035000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173204404.0000000001033000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apis.google.com/js/api.js	chromecache_91.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/google-partners	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://play.google.com/work/enroll?identifier=	chromecache_89.6.dr	false		unknown
https://policies.google.com/terms/service-specific	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://g.co/recover	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy/additional	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/technologies/cookies	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_91.6.dr	false	URL Reputation: safe	unknown
https://www.google.com	chromecache_89.6.dr	false		unknown
https://play.google.com/log?format=json&hasfast=true	chromecache_89.6.dr	false		unknown
https://www.youtube.com/t/terms?chromeless=1&hl=	chromecache_89.6.dr	false		unknown
https://support.google.com/accounts?hl=	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/terms/location	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://policies.google.com/privacy	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://support.google.com/accounts?p=new-si-ui	chromecache_89.6.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage	chromecache_89.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.206	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.110	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
216.58.212.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
192.168.2.13
192.168.2.23

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524393
Start date and time:	2024-10-02 18:36:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@38/30@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 45 Number of non-executed functions: 304
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 172.217.16.142, 74.125.71.84, 34.104.35.123, 142.250.185.106, 216.58.206.42, 142.250.185.234, 142.250.184.202, 142.250.186.138, 142.250.186.170, 142.250.185.74, 142.250.184.234, 172.217.23.106, 172.217.18.106, 142.250.181.234, 216.58.206.74, 142.250.185.202, 142.250.185.170, 142.250.185.138, 216.58.212.138, 142.250.185.227, 142.250.186.35, 142.250.186.106, 216.58.212.170, 142.250.186.42, 172.217.16.138, 142.250.74.202, 172.217.18.10, 192.229.221.95, 93.184.221.240, 142.250.185.131, 64.233.167.84, 142.250.181.238
Excluded domains from analysis (whitelisted): clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
	New_Statement-8723107.js	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	184.28.90.27 20.114.59.183
3b5074b1b5d032e5620f69f9f700ff0e	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.113.110.67 40.113.103.199
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.113.110.67 40.113.103.199
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.113.103.199
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.113.103.199
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.113.110.67 40.113.103.199
	inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exe	Get hash	malicious	AgentTesla	Browse	40.113.110.67 40.113.103.199
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.110.67 40.113.103.199
	All#att098764576.exe	Get hash	malicious	Snake Keylogger	Browse	40.113.110.67 40.113.103.199
	file.exe	Get hash	malicious	Credential Flusher	Browse	40.113.110.67 40.113.103.199
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	40.113.110.67 40.113.103.199

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2907)
Category:	downloaded
Size (bytes):	22833
Entropy (8bit):	5.425034548615223
Encrypted:	false
SSDEEP:	384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
MD5:	749B18538FE32BFE0815D75F899F5B21
SHA1:	AF95A019211AF69F752A43CAA54A83C2AFD41D28
SHA-256:	116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
SHA-512:	E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka\|\|a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (570)
Category:	downloaded
Size (bytes):	3467
Entropy (8bit):	5.514745431912774
Encrypted:	false
SSDEEP:	96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
MD5:	8DEF399E8355ABC23E64505281005099
SHA1:	24FF74C3AEFD7696D84FF148465DF4B1B60B1696
SHA-256:	F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
SHA-512:	33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (533)
Category:	downloaded
Size (bytes):	9211
Entropy (8bit):	5.404576987807738
Encrypted:	false
SSDEEP:	192:EEFZpeip4XzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4zgjUhtD1TY68
MD5:	DDB7A6000CAE431588EBA40D851CFBC8
SHA1:	D2A2BDCB87EF6C883309AE38029F8CC20C0FE296
SHA-256:	0FA743E465C9D47E33DF7815C64881A36F971D1DD31AC48ABBBD407A5AE03204
SHA-512:	5519F2B7DC44BC846D5CE39F6B28233CE6BD218873386DC70291F7629FCFF2D5D5F87C5DEFC923198542C54A23DBF92F2095BE951906D552E0D29B48DF8DA535
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null\|\|typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]\|\|null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null\|\|b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1694)
Category:	downloaded
Size (bytes):	32500
Entropy (8bit):	5.378903546681047
Encrypted:	false
SSDEEP:	768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
MD5:	BF4BF9728A7C302FBA5B14F3D0F1878B
SHA1:	2607CA7A93710D629400077FF3602CB207E6F53D
SHA-256:	8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
SHA-512:	AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5693)
Category:	downloaded
Size (bytes):	698316
Entropy (8bit):	5.595128344807249
Encrypted:	false
SSDEEP:	6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxSlSlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISx3J09
MD5:	AEBB4A3D10CE5EAA58A229DDF0DCF48F
SHA1:	C46965F1090D5ACC3696878642A7360B57276640
SHA-256:	922BD9D4EE118B22E3BACE6267C12CD2D00C95E72390DA41A09CAF89BFBB0943
SHA-512:	F3D19E42085AA10E6A87B89EC8607C2126C2F283260986E929FC92B08B493DA50C723E4E5EB73610ABA515703252A50F52F45C5B32DF564ACCAE5434FCFE784F
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
Preview:	"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (755)
Category:	downloaded
Size (bytes):	1460
Entropy (8bit):	5.291808298251231
Encrypted:	false
SSDEEP:	24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
MD5:	4CA7ADFE744A690411EA4D3EA8DB9E4B
SHA1:	2CF1777A199E25378D330DA68BED1871B5C5BC32
SHA-256:	128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
SHA-512:	8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()1E3,a.WR(),d.aa()1E3,b)},a_a=function(a){return Math.random()Math.min(a.waMath.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	743936
Entropy (8bit):	5.791088070903539
Encrypted:	false
SSDEEP:	6144:DVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Efd8j91/N
MD5:	E9FDD4341AE5B5BEA1F4093630DE235A
SHA1:	74C0EEF5414EC7E734E65FB76033117FC89B9277
SHA-256:	96DEB453F23BB3A8F4C839D4A2C11528A30BBDF957B80CC3645B1145F01BEB98
SHA-512:	770D44B90B554D82698E33EA8FD9DA7A462CEBF3C4216E39EF43235FBC116F79B6A46E0E99DA1261CD4504B5AC500EAD26280B4C28A27C52C1BF854A360CAF1D
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFetHSHFBupOA4lWzkG836ewjY3VA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469864, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (681)
Category:	downloaded
Size (bytes):	4067
Entropy (8bit):	5.363457972758152
Encrypted:	false
SSDEEP:	96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9cLw:bCMZXVeR6jiosVrqtyzBaImyAKw9z
MD5:	B027BF10F968F37628EB698B2CF46D8E
SHA1:	0C9801E4FF3BE18102E6E22246B4262FCC6CE011
SHA-256:	98608C8414932B6F029948A323B1236EFB96861306FD1EDEB6CE47E180392B47
SHA-512:	3B1E5A3B247273F025EACF389F98BC139F8453ECEC7A2EC762A4E3279F220B7BED2CB23CD5630E92ED03187C514956DF814E9450FFAA10BFE312633B445DBEF1
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
Preview:	"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (683)
Category:	downloaded
Size (bytes):	3131
Entropy (8bit):	5.355381206612617
Encrypted:	false
SSDEEP:	48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
MD5:	E2A7251AD83A0D0634FEA2703D10ED07
SHA1:	90D72011F31FC40D3DA3748F2817F90A29EB5C01
SHA-256:	1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
SHA-512:	CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d\|\|(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (522)
Category:	downloaded
Size (bytes):	5050
Entropy (8bit):	5.289052544075544
Encrypted:	false
SSDEEP:	96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
MD5:	26E26FD11772DFF5C7004BEA334289CC
SHA1:	638DAAF541BDE31E95AEE4F8ADA677434D7051DB
SHA-256:	ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
SHA-512:	C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")\|\|"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")\|\|"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (468)
Category:	downloaded
Size (bytes):	1858
Entropy (8bit):	5.298162049824456
Encrypted:	false
SSDEEP:	48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
MD5:	CE055F881BDAB4EF6C1C8AA4B3890348
SHA1:	2671741A70E9F5B608F690AAEEA4972003747654
SHA-256:	9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
SHA-512:	8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)\|\|function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)\|\|function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)\|\|function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (395)
Category:	downloaded
Size (bytes):	1608
Entropy (8bit):	5.257113147606035
Encrypted:	false
SSDEEP:	48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
MD5:	F06E2DC5CC446B39F878B5F8E4D78418
SHA1:	9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
SHA-256:	118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
SHA-512:	893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBmmEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlGQQHgW7tBOmtnjDazpfe3i36ZJmg/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.582296578298535
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'528 bytes
MD5:	6e7b2f176845b35ec3eaa5ea9e302a36
SHA1:	ade7b4177211189302165de166b7bf949acb9073
SHA256:	c242d6a3ae3ae6dde989a2792fbccf96b6a66ad25a62a14bf1099fb6a3e916be
SHA512:	9f94b91da3b1dd04845f53e1f8d615b7967b5ed9bccd69a31fcb236b2a8ccf34d3240b20a61552b7525f385ced63b4531ad93e6b8609e45603dbb1eb379d1784
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaxTe:3qDEvCTbMWu7rQYlBQcBiT6rprG8aFe
TLSH:	AE159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD6F2D [Wed Oct 2 16:05:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FDF40F08F43h
jmp 00007FDF40F0884Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FDF40F08A2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FDF40F089FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FDF40F0B5EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FDF40F0B638h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FDF40F0B621h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x98e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x98e4	0x9a00	d07c1399d6acdb2384d06718d00f7d3e	False	0.30111099837662336	data	5.277599412919383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xbaa	data			1.0036838580040188
RT_GROUP_ICON	0xdd364	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd3dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd3f0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd404	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd418	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd4f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:37:11.451750040 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:11.576699018 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:11.764202118 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:20.138478041 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:20.138510942 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:20.138602018 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:20.139106989 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:20.139120102 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:20.171838999 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.171891928 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.172003984 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.172256947 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.172277927 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.804620028 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.844981909 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.845000029 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.845664024 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.845750093 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.846375942 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.846441031 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.847552061 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.847625971 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.847731113 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.895404100 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.902944088 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.902955055 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:20.943824053 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:20.943962097 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:20.949784994 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:20.999284029 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:20.999308109 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:20.999624968 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.024115086 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:21.024192095 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:21.024204969 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.025487900 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:21.059192896 CEST	49674	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:21.071405888 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.184130907 CEST	49673	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:21.336241961 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.336328983 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.336393118 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:21.336580992 CEST	50574	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:21.336596966 CEST	443	50574	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:21.336626053 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:21.336663008 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:21.336729050 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:21.336754084 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:21.336872101 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:21.337029934 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:21.341084957 CEST	50575	443	192.168.2.6	142.250.185.142
Oct 2, 2024 18:37:21.341119051 CEST	443	50575	142.250.185.142	192.168.2.6
Oct 2, 2024 18:37:21.371845007 CEST	49672	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:23.035664082 CEST	443	50562	173.222.162.64	192.168.2.6
Oct 2, 2024 18:37:23.037682056 CEST	50562	443	192.168.2.6	173.222.162.64
Oct 2, 2024 18:37:23.661370993 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:23.661407948 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:23.661468983 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:23.661786079 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:23.661801100 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:23.826596022 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:23.826627016 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:23.826715946 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:23.828092098 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:23.828104973 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.317792892 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:24.318144083 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:24.318157911 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:24.319072962 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:24.319147110 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:24.319988012 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:24.320049047 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:24.371818066 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:24.371823072 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:24.418697119 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:24.514640093 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.514722109 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.523863077 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.523881912 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.524395943 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.564198971 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.642784119 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.687424898 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.838625908 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.838692904 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.838746071 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.838825941 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.838849068 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.838861942 CEST	50582	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.838870049 CEST	443	50582	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.886317015 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.886370897 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:24.886440992 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.886725903 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:24.886739016 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.541754961 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.541831017 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.544642925 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.544653893 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.544924021 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.548712969 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.591407061 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.827128887 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.827306986 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.827368021 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.849875927 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.849909067 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:25.849921942 CEST	50586	443	192.168.2.6	184.28.90.27
Oct 2, 2024 18:37:25.849929094 CEST	443	50586	184.28.90.27	192.168.2.6
Oct 2, 2024 18:37:28.727823973 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:28.727864027 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:28.727931976 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:28.747035027 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:28.747054100 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:28.801453114 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:28.801491022 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:28.802175045 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:28.802175045 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:28.802213907 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.427530050 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.427998066 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.428011894 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.428436995 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.428491116 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.429194927 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.429255962 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.430464983 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.430530071 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.430793047 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.430804968 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.481105089 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.732197046 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.732305050 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.735641956 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.735654116 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.736042023 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.737989902 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.738142014 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.738148928 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.738230944 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.757884979 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.757930040 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.757981062 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.757999897 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.758045912 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.758424997 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.758475065 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.763514042 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.763583899 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.771563053 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.771610975 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.771629095 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.771689892 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.776140928 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.776242971 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.782555103 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.782613993 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.782831907 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.782844067 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.783164978 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.783394098 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.850197077 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.850270033 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.850857019 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.850862026 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.850871086 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.851286888 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.854444027 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.854502916 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.855168104 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.855180979 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.855231047 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.860810995 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.860881090 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.860893965 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.865861893 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.866218090 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.866231918 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.871988058 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.872097015 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.872109890 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.878555059 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.878611088 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.878624916 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.878680944 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.878750086 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.880975008 CEST	50600	443	192.168.2.6	142.250.185.206
Oct 2, 2024 18:37:29.880995035 CEST	443	50600	142.250.185.206	192.168.2.6
Oct 2, 2024 18:37:29.897938013 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.897974968 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:29.898056030 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.898391962 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.898406029 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:29.918184996 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.918606043 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.918693066 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.919409037 CEST	50602	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:29.919430971 CEST	443	50602	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:29.980236053 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.980264902 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:29.980348110 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.981287003 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:29.981297016 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.604454994 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.604779005 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.604788065 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.605149984 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.605220079 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.605840921 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.605886936 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.607585907 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.607647896 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.607875109 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.607882023 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.653958082 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.785101891 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.797154903 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.797183037 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.798372984 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.798458099 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.801012039 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.801080942 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.802634001 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.802696943 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.803236008 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.803242922 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.857573986 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.906883955 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.907139063 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.907253027 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.971549034 CEST	50604	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.971568108 CEST	443	50604	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.972865105 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.972888947 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:30.972954035 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.973678112 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:30.973687887 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.088538885 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.088979006 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.090286970 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.142704964 CEST	50606	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.142731905 CEST	443	50606	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.152132034 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.152146101 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.152210951 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.193849087 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.193872929 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.621665001 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.623320103 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.623354912 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.623750925 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.623812914 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.624464989 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.624519110 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.624661922 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.624720097 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.624825954 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.624850035 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.624857903 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.659967899 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:31.660002947 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:31.660073042 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:31.661101103 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:31.661113977 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:31.667872906 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.853214979 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.853522062 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.853558064 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.853945017 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.854007006 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.854655027 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.854706049 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.854897976 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.854969025 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.855088949 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.855103016 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.855123997 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.858503103 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.858653069 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.858840942 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.859841108 CEST	50609	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:31.859858036 CEST	443	50609	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.895407915 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:31.903683901 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:32.073055983 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:32.074528933 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:32.074584007 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:32.075299025 CEST	50610	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:32.075316906 CEST	443	50610	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:32.355202913 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.399403095 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.441514015 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.441612959 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.443223000 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.443233013 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.443521976 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.497454882 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.503326893 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.547405005 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.637871981 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.637911081 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.637937069 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.637955904 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.637962103 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.637972116 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.638010025 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.638017893 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.638076067 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.638082981 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.638099909 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.638179064 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.640083075 CEST	50581	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:37:32.640100956 CEST	443	50581	142.250.185.132	192.168.2.6
Oct 2, 2024 18:37:32.768398046 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768464088 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768484116 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768505096 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768523932 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.768549919 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768572092 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768587112 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.768606901 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768651009 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.768657923 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768668890 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.768771887 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768829107 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.768834114 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.768955946 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.769006014 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.782331944 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.782345057 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:32.782356024 CEST	50613	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:37:32.782361031 CEST	443	50613	20.114.59.183	192.168.2.6
Oct 2, 2024 18:37:37.734138966 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:37.734224081 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:37.734409094 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:37.734647989 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:37.734672070 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.435606956 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.467364073 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.467453003 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.469124079 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.469630003 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.469840050 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.469846010 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.469871998 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.469979048 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.512139082 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.766060114 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.767314911 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:38.767404079 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.769355059 CEST	50621	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:37:38.769370079 CEST	443	50621	142.250.185.110	192.168.2.6
Oct 2, 2024 18:37:42.446450949 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:42.446485043 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:42.446613073 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:42.447530985 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:42.447547913 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.261126041 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.261250973 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.269747972 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.269757032 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.270064116 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.291487932 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.291564941 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.291574001 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.291860104 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.339402914 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.470340967 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.470566988 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:37:43.470643044 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.471232891 CEST	50622	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:37:43.471256971 CEST	443	50622	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:00.156390905 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.156419992 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.156519890 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.156871080 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.156884909 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.532891989 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.532933950 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.533026934 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.535348892 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.535366058 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.819713116 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.820049047 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.820082903 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.820827007 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.821203947 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.821317911 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:00.821433067 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.821450949 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:00.821470022 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.128388882 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.129240036 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.129333973 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.129595041 CEST	50623	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.129618883 CEST	443	50623	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.223006010 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.223047972 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.223241091 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.223659992 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.223674059 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.252393961 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.252774954 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.252798080 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.253163099 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.253591061 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.253647089 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.253763914 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.253793001 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.253799915 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.554647923 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.554805994 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.554912090 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.555349112 CEST	50624	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.555377007 CEST	443	50624	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.872229099 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.873630047 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.873651028 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.874540091 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.874891043 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.874960899 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:01.875099897 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.875117064 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:01.875129938 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:02.098834038 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:02.099194050 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:02.099250078 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:02.099633932 CEST	50625	443	192.168.2.6	142.250.185.110
Oct 2, 2024 18:38:02.099648952 CEST	443	50625	142.250.185.110	192.168.2.6
Oct 2, 2024 18:38:04.572309971 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:04.572360039 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:04.572453022 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:04.573003054 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:04.573019028 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.439421892 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.439510107 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.441392899 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.441411018 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.441648960 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.443274975 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.443274975 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.443299055 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.443409920 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.487404108 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.617132902 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.617476940 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:05.617562056 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.617686033 CEST	50626	443	192.168.2.6	40.113.110.67
Oct 2, 2024 18:38:05.617712021 CEST	443	50626	40.113.110.67	192.168.2.6
Oct 2, 2024 18:38:09.261104107 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:09.261126995 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:09.261229038 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:09.261625051 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:09.261640072 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.076863050 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.076987982 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.083636045 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.083666086 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.084460020 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.103312016 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.147399902 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.423836946 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.423901081 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.423945904 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.423983097 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.424006939 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.424030066 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.424067020 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.424809933 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.424865961 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.424885035 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.424892902 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.424925089 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.425287962 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.425343990 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.428179026 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.428190947 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:10.428210974 CEST	50627	443	192.168.2.6	20.114.59.183
Oct 2, 2024 18:38:10.428217888 CEST	443	50627	20.114.59.183	192.168.2.6
Oct 2, 2024 18:38:23.716746092 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:23.716800928 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:23.716896057 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:23.717122078 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:23.717129946 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:24.527518034 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:24.527936935 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:24.527954102 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:24.529023886 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:24.535826921 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:24.535999060 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:24.579622030 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:27.658382893 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:27.658442020 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:27.658626080 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:27.660235882 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:27.660260916 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.462692976 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.463027000 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.465681076 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.465713024 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.465936899 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.468740940 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.468930006 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.468936920 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.469122887 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.515407085 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.647852898 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.647942066 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:28.648427963 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.648427963 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.951987982 CEST	50630	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:28.952039003 CEST	443	50630	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:30.449453115 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.449492931 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:30.449593067 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.449928999 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.449942112 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:30.816298008 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.816360950 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:30.816481113 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.816804886 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:30.816817999 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.089761972 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.090271950 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.090287924 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.090637922 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.091113091 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.091319084 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.091317892 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.091345072 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.091378927 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.137260914 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.389507055 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.390522957 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.390620947 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.390770912 CEST	50631	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.390784979 CEST	443	50631	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.460071087 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.460608006 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.460692883 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.461078882 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.461405993 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.461484909 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.461575031 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.461621046 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.461636066 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.761966944 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.762845993 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:31.762901068 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.762990952 CEST	50633	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:38:31.763011932 CEST	443	50633	216.58.212.174	192.168.2.6
Oct 2, 2024 18:38:34.429558039 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:34.429737091 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:34.429863930 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:48.138921976 CEST	50629	443	192.168.2.6	142.250.185.132
Oct 2, 2024 18:38:48.138955116 CEST	443	50629	142.250.185.132	192.168.2.6
Oct 2, 2024 18:38:51.427602053 CEST	50563	80	192.168.2.6	199.232.210.172
Oct 2, 2024 18:38:51.433115959 CEST	80	50563	199.232.210.172	192.168.2.6
Oct 2, 2024 18:38:51.433182001 CEST	50563	80	192.168.2.6	199.232.210.172
Oct 2, 2024 18:38:54.528358936 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:54.528405905 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:54.528575897 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:54.529274940 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:54.529290915 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.320609093 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.320753098 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.323275089 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.323287010 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.323502064 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.325599909 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.325810909 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.325814962 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.326155901 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.367418051 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.502365112 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.502612114 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:38:55.502677917 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.502960920 CEST	50635	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:38:55.502983093 CEST	443	50635	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:00.595324039 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:00.595395088 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:00.595508099 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:00.596007109 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:00.596020937 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.233134031 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.233484030 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.233513117 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.234056950 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.234457970 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.234515905 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.234524012 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.234534979 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.234541893 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.275440931 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.278924942 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.688031912 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.688210964 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:01.688340902 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.688872099 CEST	50636	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:01.688899040 CEST	443	50636	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:02.765175104 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:02.765214920 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:02.765300035 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:02.765602112 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:02.765613079 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.425056934 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.425436974 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.425456047 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.425823927 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.426140070 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.426206112 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.426285982 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.426309109 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.426318884 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.733593941 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.733732939 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:03.733776093 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.734075069 CEST	50637	443	192.168.2.6	216.58.212.174
Oct 2, 2024 18:39:03.734091043 CEST	443	50637	216.58.212.174	192.168.2.6
Oct 2, 2024 18:39:22.117311954 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.117415905 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.117522001 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.118132114 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.118191004 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.902957916 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.903090954 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.905498981 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.905517101 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.905776978 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.907682896 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.907777071 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.907783985 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:22.907886982 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:22.955404997 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:23.077898979 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:23.078160048 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:23.078639030 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:23.079118013 CEST	50638	443	192.168.2.6	40.113.103.199
Oct 2, 2024 18:39:23.079142094 CEST	443	50638	40.113.103.199	192.168.2.6
Oct 2, 2024 18:39:23.079159021 CEST	50638	443	192.168.2.6	40.113.103.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:37:19.133893013 CEST	53	61082	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:19.161139965 CEST	65294	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:19.161176920 CEST	50242	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:19.168051004 CEST	53	65294	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:19.169001102 CEST	53	50242	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:19.169632912 CEST	53	64033	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:20.164197922 CEST	56610	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:20.164406061 CEST	58006	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:20.170949936 CEST	53	56610	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:20.171236992 CEST	53	58006	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:20.224211931 CEST	53	51474	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:23.622227907 CEST	53	58359	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:23.650152922 CEST	55329	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:23.650240898 CEST	61787	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:23.656883955 CEST	53	55329	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:23.658199072 CEST	53	61787	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:25.686343908 CEST	53	51741	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:28.707025051 CEST	63605	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:28.707241058 CEST	65523	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:28.714624882 CEST	53	63605	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:28.714790106 CEST	53	65523	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:29.889672041 CEST	64326	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:29.890357018 CEST	53483	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:37:29.896840096 CEST	53	64326	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:29.897556067 CEST	53	53483	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:37.131669044 CEST	53	55597	1.1.1.1	192.168.2.6
Oct 2, 2024 18:37:56.273816109 CEST	53	63178	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:18.759346008 CEST	53	55449	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:19.000025034 CEST	53	52660	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:30.440926075 CEST	59856	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:38:30.441406012 CEST	56803	53	192.168.2.6	1.1.1.1
Oct 2, 2024 18:38:30.448534012 CEST	53	59856	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:30.448549032 CEST	53	56803	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:30.747015953 CEST	53	54270	1.1.1.1	192.168.2.6
Oct 2, 2024 18:38:48.233752012 CEST	53	65280	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 18:37:19.161139965 CEST	192.168.2.6	1.1.1.1	0x4c7e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:19.161176920 CEST	192.168.2.6	1.1.1.1	0x7576	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:37:20.164197922 CEST	192.168.2.6	1.1.1.1	0x6e61	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.164406061 CEST	192.168.2.6	1.1.1.1	0x2cfa	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:37:23.650152922 CEST	192.168.2.6	1.1.1.1	0x68d1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:23.650240898 CEST	192.168.2.6	1.1.1.1	0x408	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:37:28.707025051 CEST	192.168.2.6	1.1.1.1	0x54f	Standard query (0)	accounts.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:28.707241058 CEST	192.168.2.6	1.1.1.1	0xa18c	Standard query (0)	accounts.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 18:37:29.889672041 CEST	192.168.2.6	1.1.1.1	0x55b3	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:29.890357018 CEST	192.168.2.6	1.1.1.1	0xa172	Standard query (0)	play.google.com	65	IN (0x0001)	false
Oct 2, 2024 18:38:30.440926075 CEST	192.168.2.6	1.1.1.1	0xd981	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:38:30.441406012 CEST	192.168.2.6	1.1.1.1	0x9f48	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 18:37:19.168051004 CEST	1.1.1.1	192.168.2.6	0x4c7e	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:19.169001102 CEST	1.1.1.1	192.168.2.6	0x7576	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.170949936 CEST	1.1.1.1	192.168.2.6	0x6e61	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:20.171236992 CEST	1.1.1.1	192.168.2.6	0x2cfa	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:37:20.171236992 CEST	1.1.1.1	192.168.2.6	0x2cfa	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:37:23.656883955 CEST	1.1.1.1	192.168.2.6	0x68d1	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:23.658199072 CEST	1.1.1.1	192.168.2.6	0x408	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 18:37:28.714624882 CEST	1.1.1.1	192.168.2.6	0x54f	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:37:28.714624882 CEST	1.1.1.1	192.168.2.6	0x54f	No error (0)	www3.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:37:28.714790106 CEST	1.1.1.1	192.168.2.6	0xa18c	No error (0)	accounts.youtube.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 18:37:29.896840096 CEST	1.1.1.1	192.168.2.6	0x55b3	No error (0)	play.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 18:38:30.448534012 CEST	1.1.1.1	192.168.2.6	0xd981	No error (0)	play.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.youtube.com

fs.microsoft.com

https:

accounts.youtube.com

play.google.com

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	50575	142.250.185.142	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:20 UTC	857	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:21 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:37:21 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:07:21 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=GxW5O3adpvw; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=hOerVMecYng; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:37:21 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgbA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:37:21 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	50574	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:21 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 71 48 69 46 4b 50 57 4c 71 30 75 65 68 34 50 5a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 39 34 39 39 37 34 64 34 32 39 62 37 37 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: qHiFKPWLq0ueh4PZ.1Context: fa949974d429b772
2024-10-02 16:37:21 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:37:21 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 71 48 69 46 4b 50 57 4c 71 30 75 65 68 34 50 5a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 39 34 39 39 37 34 64 34 32 39 62 37 37 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: qHiFKPWLq0ueh4PZ.2Context: fa949974d429b772<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:37:21 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 71 48 69 46 4b 50 57 4c 71 30 75 65 68 34 50 5a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 39 34 39 39 37 34 64 34 32 39 62 37 37 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: qHiFKPWLq0ueh4PZ.3Context: fa949974d429b772<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:37:21 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:37:21 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 73 2f 72 6d 47 39 56 37 38 45 57 67 36 76 47 79 2f 58 52 65 77 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: s/rmG9V78EWg6vGy/XRewA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	50582	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:24 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:37:24 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=86906 Date: Wed, 02 Oct 2024 16:37:24 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	50586	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:25 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 16:37:25 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=86849 Date: Wed, 02 Oct 2024 16:37:25 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 16:37:25 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	50600	142.250.185.206	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:29 UTC	1225	OUT	GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1076236206&timestamp=1727887047473 HTTP/1.1 Host: accounts.youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:29 UTC	1969	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM https://accounts.google.com Content-Security-Policy: frame-ancestors https://accounts.google.com Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-k0aVZZeewlTzoi41-SkGVg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 02 Oct 2024 16:37:29 GMT Cross-Origin-Resource-Policy: cross-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmLw1pBikPj6kkkNiJ3SZ7AGAHHSv_OsBUB8ufsS63UgVu25xGoMxEUSV1gbgFiIh-Pk26_b2QQ6fk7YyKSkl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAA8IQtzg" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6b 30 61 56 5a 5a 65 65 77 6c 54 7a 6f 69 34 31 2d 53 6b 47 56 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f Data Ascii: 7619<html><head><script nonce="k0aVZZeewlTzoi41-SkGVg">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs\|\|{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28 Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29 Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29 Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"\|\|l=="function"?b.has(k)
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb\|\|{},q=this\|\|self,gb=q._F_toggles\|\|[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68 Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c\|\|q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
2024-10-02 16:37:29 UTC	1969	IN	Data Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50602	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:29 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 33 6c 4d 70 55 47 42 58 45 45 32 70 34 6b 79 42 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 64 30 31 62 64 66 65 34 33 35 65 61 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: 3lMpUGBXEE2p4kyB.1Context: e7d01bdfe435ea2
2024-10-02 16:37:29 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:37:29 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 33 6c 4d 70 55 47 42 58 45 45 32 70 34 6b 79 42 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 64 30 31 62 64 66 65 34 33 35 65 61 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 49 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: 3lMpUGBXEE2p4kyB.2Context: e7d01bdfe435ea2<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbgI
2024-10-02 16:37:29 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 33 6c 4d 70 55 47 42 58 45 45 32 70 34 6b 79 42 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 64 30 31 62 64 66 65 34 33 35 65 61 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: 3lMpUGBXEE2p4kyB.3Context: e7d01bdfe435ea2<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:37:29 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:37:29 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 67 70 71 66 56 34 6a 58 69 6b 4b 52 54 45 30 62 75 67 72 44 44 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: gpqfV4jXikKRTE0bugrDDg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	50604	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:30 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:30 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:37:30 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	50606	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:30 UTC	549	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:31 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:37:30 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	50609	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:31 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 519 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:31 UTC	519	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 30 34 38 36 35 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887048657",null,null,null
2024-10-02 16:37:31 UTC	932	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=fhxT9QZPC0b0r5cHrMWwY18Ar-1JY856f-h5wE4Lvle4iIirXcab2ODWdPkg2oBFJDY5BuE8YoMt7NCpVQ_kYWUNyLDIrYTEXTqrO51M4ECmkNbcNLuWvskoVh1LTu10gEZlhlNss8qLAW_Sj3aiZsg8EGub6Vlowskc54gHmusvUh6qaw; expires=Thu, 03-Apr-2025 16:37:31 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:37:31 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:37:31 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:37:31 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:37:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	50610	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:31 UTC	1112	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 507 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 16:37:31 UTC	507	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 30 34 38 37 35 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887048752",null,null,null
2024-10-02 16:37:32 UTC	933	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=dddHZ_8otViNTC9cwCdQoA03ag_r032DFATbGGnfxyA0n90en5a8yr3p2Z6ARL2A1nvrYS8Z2xMHo2j50qWfBOMYMnmbq8xXD-1Bln6F_56LTxPJOgjRXCi4k0zrCAta0kTTnGfaRd1HOW8CUx-xPB1g03yc6SIYr0L_6L5W2KfWFcxLE1o; expires=Thu, 03-Apr-2025 16:37:31 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:37:31 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:37:31 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:37:32 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:37:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	50581	142.250.185.132	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:32 UTC	1202	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dddHZ_8otViNTC9cwCdQoA03ag_r032DFATbGGnfxyA0n90en5a8yr3p2Z6ARL2A1nvrYS8Z2xMHo2j50qWfBOMYMnmbq8xXD-1Bln6F_56LTxPJOgjRXCi4k0zrCAta0kTTnGfaRd1HOW8CUx-xPB1g03yc6SIYr0L_6L5W2KfWFcxLE1o
2024-10-02 16:37:32 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 02 Oct 2024 13:38:50 GMT Expires: Thu, 10 Oct 2024 13:38:50 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 10722 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 16:37:32 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-02 16:37:32 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-02 16:37:32 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-02 16:37:32 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-02 16:37:32 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	50613	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:32 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3UKllD2MVWroSBo&MD=GLuuM2Nd HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:37:32 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 8765336a-b613-44ca-968a-1afa5b7fb33a MS-RequestId: bab7da1a-dc8e-48ed-8a40-bcdf36391025 MS-CV: zpyhREsRKk+Gt169.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:37:32 GMT Connection: close Content-Length: 24490
2024-10-02 16:37:32 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 16:37:32 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	50621	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:38 UTC	1287	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1224 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=dddHZ_8otViNTC9cwCdQoA03ag_r032DFATbGGnfxyA0n90en5a8yr3p2Z6ARL2A1nvrYS8Z2xMHo2j50qWfBOMYMnmbq8xXD-1Bln6F_56LTxPJOgjRXCi4k0zrCAta0kTTnGfaRd1HOW8CUx-xPB1g03yc6SIYr0L_6L5W2KfWFcxLE1o
2024-10-02 16:37:38 UTC	1224	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 37 30 34 36 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727887046000",null,null,null,
2024-10-02 16:37:38 UTC	941	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4; expires=Thu, 03-Apr-2025 16:37:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:37:38 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 02 Oct 2024 16:37:38 GMT Connection: close Transfer-Encoding: chunked
2024-10-02 16:37:38 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:37:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	50622	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:37:43 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 62 74 72 42 6f 43 77 39 36 55 65 6d 47 62 58 59 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 34 65 63 62 31 30 65 64 32 35 33 30 34 36 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: btrBoCw96UemGbXY.1Context: 44ecb10ed253046f
2024-10-02 16:37:43 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:37:43 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 62 74 72 42 6f 43 77 39 36 55 65 6d 47 62 58 59 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 34 65 63 62 31 30 65 64 32 35 33 30 34 36 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: btrBoCw96UemGbXY.2Context: 44ecb10ed253046f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:37:43 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 62 74 72 42 6f 43 77 39 36 55 65 6d 47 62 58 59 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 34 65 63 62 31 30 65 64 32 35 33 30 34 36 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: btrBoCw96UemGbXY.3Context: 44ecb10ed253046f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:37:43 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:37:43 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6e 44 7a 62 4b 66 75 55 30 30 65 44 51 71 46 75 6a 63 75 4a 70 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: nDzbKfuU00eDQqFujcuJpg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50623	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:00 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1359 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:38:00 UTC	1359	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 30 37 38 39 32 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887078928",null,null,null
2024-10-02 16:38:01 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:38:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:38:01 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:38:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50624	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:01 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1320 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:38:01 UTC	1320	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 30 37 39 33 30 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887079304",null,null,null
2024-10-02 16:38:01 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:38:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:38:01 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:38:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50625	142.250.185.110	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:01 UTC	1277	OUT	POST /log?hasfast=true&authuser=0&format=json HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 864 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.134" Content-Type: text/plain;charset=UTF-8 sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:38:01 UTC	864	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
2024-10-02 16:38:02 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:38:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:38:02 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:38:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.6	50626	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:05 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 4f 72 58 69 2b 34 6b 45 61 4e 62 33 71 2f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 64 66 63 39 63 63 34 32 62 63 61 34 36 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: KJOrXi+4kEaNb3q/.1Context: 87dfc9cc42bca461
2024-10-02 16:38:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:38:05 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 4f 72 58 69 2b 34 6b 45 61 4e 62 33 71 2f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 64 66 63 39 63 63 34 32 62 63 61 34 36 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: KJOrXi+4kEaNb3q/.2Context: 87dfc9cc42bca461<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:38:05 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 4f 72 58 69 2b 34 6b 45 61 4e 62 33 71 2f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 64 66 63 39 63 63 34 32 62 63 61 34 36 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: KJOrXi+4kEaNb3q/.3Context: 87dfc9cc42bca461<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:38:05 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:38:05 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6e 67 69 2b 6e 47 71 4f 6c 45 4b 4b 45 75 6b 46 53 70 54 4a 71 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ngi+nGqOlEKKEukFSpTJqQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50627	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:10 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3UKllD2MVWroSBo&MD=GLuuM2Nd HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 16:38:10 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: f2140827-1ac5-4ae6-9c21-1b0e2dd975d6 MS-RequestId: 9ed666b5-08cb-4967-8081-1de886e95fc6 MS-CV: GarRBdhlF0ibyCVq.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 16:38:09 GMT Connection: close Content-Length: 30005
2024-10-02 16:38:10 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 16:38:10 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.6	50630	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:28 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 52 73 32 5a 45 68 59 52 49 30 2b 45 78 31 79 34 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 34 31 63 63 36 34 39 64 37 36 63 37 65 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Rs2ZEhYRI0+Ex1y4.1Context: 5841cc649d76c7ee
2024-10-02 16:38:28 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:38:28 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 52 73 32 5a 45 68 59 52 49 30 2b 45 78 31 79 34 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 34 31 63 63 36 34 39 64 37 36 63 37 65 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Rs2ZEhYRI0+Ex1y4.2Context: 5841cc649d76c7ee<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:38:28 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 52 73 32 5a 45 68 59 52 49 30 2b 45 78 31 79 34 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 38 34 31 63 63 36 34 39 64 37 36 63 37 65 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Rs2ZEhYRI0+Ex1y4.3Context: 5841cc649d76c7ee<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:38:28 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:38:28 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 51 38 53 62 45 6a 68 4f 74 30 61 30 62 6e 76 52 44 61 4b 4d 65 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: Q8SbEjhOt0a0bnvRDaKMeg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50631	216.58.212.174	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:31 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1232 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:38:31 UTC	1232	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 31 30 39 32 31 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887109218",null,null,null
2024-10-02 16:38:31 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:38:31 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:38:31 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:38:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50633	216.58.212.174	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:31 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1365 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:38:31 UTC	1365	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 31 30 39 35 39 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887109596",null,null,null
2024-10-02 16:38:31 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:38:31 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:38:31 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:38:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.6	50635	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:38:55 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 66 43 51 4d 77 6a 6c 4b 4b 6b 47 4c 45 45 4c 38 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 61 34 34 31 37 63 39 30 33 62 37 33 38 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: fCQMwjlKKkGLEEL8.1Context: 30a4417c903b7385
2024-10-02 16:38:55 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:38:55 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 66 43 51 4d 77 6a 6c 4b 4b 6b 47 4c 45 45 4c 38 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 61 34 34 31 37 63 39 30 33 62 37 33 38 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: fCQMwjlKKkGLEEL8.2Context: 30a4417c903b7385<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:38:55 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 66 43 51 4d 77 6a 6c 4b 4b 6b 47 4c 45 45 4c 38 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 61 34 34 31 37 63 39 30 33 62 37 33 38 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: fCQMwjlKKkGLEEL8.3Context: 30a4417c903b7385<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:38:55 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:38:55 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 4c 45 41 4a 32 52 75 34 6e 45 71 50 6d 78 4d 38 77 74 69 43 75 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: LEAJ2Ru4nEqPmxM8wtiCuQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50636	216.58.212.174	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:39:01 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1399 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:39:01 UTC	1399	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 31 33 39 33 37 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887139374",null,null,null
2024-10-02 16:39:01 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:39:01 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:39:01 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:39:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50637	216.58.212.174	443	2248	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:39:03 UTC	1318	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 1226 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" Content-Type: application/x-www-form-urlencoded;charset=UTF-8 sec-ch-ua-full-version: "117.0.5938.134" sec-ch-ua-platform-version: "10.0.0" X-Goog-AuthUser: 0 sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: / Origin: https://accounts.google.com X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc= Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=aiVS7g8wsEexKxNB4VpA3jOeWAIgJGiiiwqn3ko5NNHIQnZ91RkMgH7CDmejz8d6bX1-hyVzGrWME0KM1us8gLr92YXQbaKSchVPcHST-nzeKoVWa4-L9PRpO8xCbwNFsOiqcWjCnjaTH5BoY8_rqHXiL4Vjwsk_tyqIkH6Ih83ImGnTgLMdpAPfWj4
2024-10-02 16:39:03 UTC	1226	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 37 31 34 31 35 34 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727887141545",null,null,null
2024-10-02 16:39:03 UTC	523	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Content-Type: text/plain; charset=UTF-8 Date: Wed, 02 Oct 2024 16:39:03 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-02 16:39:03 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-10-02 16:39:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.6	50638	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 16:39:22 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 33 43 7a 79 6d 67 58 46 62 45 53 69 56 31 65 61 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 65 63 37 36 33 62 35 32 31 63 33 63 64 33 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 3CzymgXFbESiV1ea.1Context: 3ec763b521c3cd3f
2024-10-02 16:39:22 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-10-02 16:39:22 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 33 43 7a 79 6d 67 58 46 62 45 53 69 56 31 65 61 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 65 63 37 36 33 62 35 32 31 63 33 63 64 33 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 64 2b 6e 2b 33 44 36 66 41 75 4a 4f 41 4d 68 50 71 2b 75 4c 31 2b 51 52 76 51 6f 63 36 6b 79 73 36 67 6e 4e 37 44 35 7a 6e 7a 59 6f 70 39 39 2b 58 45 61 76 79 38 54 77 64 73 61 63 6e 41 56 4b 74 71 41 6d 51 62 4f 46 53 4c 4b 50 4a 63 39 68 4d 65 43 72 46 55 5a 5a 55 36 64 68 33 6f 55 55 66 73 2f 76 36 33 47 38 6e 54 66 62 67 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 3CzymgXFbESiV1ea.2Context: 3ec763b521c3cd3f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAd+n+3D6fAuJOAMhPq+uL1+QRvQoc6kys6gnN7D5znzYop99+XEavy8TwdsacnAVKtqAmQbOFSLKPJc9hMeCrFUZZU6dh3oUUfs/v63G8nTfbg
2024-10-02 16:39:22 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 33 43 7a 79 6d 67 58 46 62 45 53 69 56 31 65 61 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 65 63 37 36 33 62 35 32 31 63 33 63 64 33 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 3CzymgXFbESiV1ea.3Context: 3ec763b521c3cd3f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-10-02 16:39:23 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-10-02 16:39:23 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 55 33 41 56 77 66 65 77 45 45 75 4e 6d 56 43 42 31 36 47 6f 50 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: U3AVwfewEEuNmVCB16GoPg.0Payload parsing failed.

Target ID:	0
Start time:	12:37:14
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7f0000
File size:	918'528 bytes
MD5 hash:	6E7B2F176845B35EC3EAA5EA9E302A36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:37:14
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x880000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:37:14
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:37:16
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:37:17
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:37:28
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:37:28
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1964,i,7453171693126174931,3170692810608871030,262144 /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1765
Total number of Limit Nodes:	57

Executed Functions

Function 0080F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0080F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0084F474
IsIconic.USER32(00000000), ref: 0084F47D
ShowWindow.USER32(00000000,00000009), ref: 0084F48A
SetForegroundWindow.USER32(00000000), ref: 0084F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0084F4AA
GetCurrentThreadId.KERNEL32 ref: 0084F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0084F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0084F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0084F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0084F4DE
SetForegroundWindow.USER32(00000000), ref: 0084F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F4F6
keybd_event.USER32(00000012,00000000), ref: 0084F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F50B
keybd_event.USER32(00000012,00000000), ref: 0084F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F519
keybd_event.USER32(00000012,00000000), ref: 0084F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F528
keybd_event.USER32(00000012,00000000), ref: 0084F52D
SetForegroundWindow.USER32(00000000), ref: 0084F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0084F557

Strings

Shell_TrayWnd, xrefs: 0084F46F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c8c6bba82d2cff48050b11d09e27b178cbbba14df23625ff165eea60afe75214
Instruction ID: 03908a943ed9bfee0c44a7d43d33dfed94cb39e6b35dbfdb3d2829d19dc09237
Opcode Fuzzy Hash: c8c6bba82d2cff48050b11d09e27b178cbbba14df23625ff165eea60afe75214
Instruction Fuzzy Hash: 12311E71A4021CBAEB216BB99C4AFBF7E6CFB44B50F110069FA05E61D1D6B15D00ABB0

Function 007F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007F430D

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

GetCurrentProcess.KERNEL32(?,0088CB64,00000000,?,?), ref: 007F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007F44A0

Strings

kernel32.dll, xrefs: 007F444F
|O, xrefs: 008336F8
GetNativeSystemInfo, xrefs: 007F4460

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9acda2cf29a46a834c8434f82f4f8809a10400b45f82e4551a747745d6dcdad1
Instruction ID: 6e1d0167dfd72a9d429d843f5fd9daee738bf016c66778963f884d61feeb2a8c
Opcode Fuzzy Hash: 9acda2cf29a46a834c8434f82f4f8809a10400b45f82e4551a747745d6dcdad1
Instruction Fuzzy Hash: 94A1906191A2C4CFCF12D7B97CCD9A67EB4BB67308B1459A9D141A3B23D23C4908CB61

Function 007F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007F50AA,?,?,00000000,00000000), ref: 007F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007F50AA,?,?,00000000,00000000), ref: 007F42C9
LoadResource.KERNEL32(?,00000000,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20), ref: 008335BE
SizeofResource.KERNEL32(?,00000000,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20), ref: 008335D3
LockResource.KERNEL32(007F50AA,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20,?), ref: 008335E6

Strings

SCRIPT, xrefs: 007F42BF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b6b58bb2d8c312af0329d44118884a22609a88ee4a4ebb21a87213f56b735a2c
Instruction ID: 6403a9fb77d0009817d1d05be7e5a6938c08a72b9e634a8383f08f1337902b27
Opcode Fuzzy Hash: b6b58bb2d8c312af0329d44118884a22609a88ee4a4ebb21a87213f56b735a2c
Instruction Fuzzy Hash: 80117971200705BFEB218BA9DC48F277BBAFBC5B51F208169B512D66A0DB71E8008B70

Function 00832BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007F2B6B

Part of subcall function 007F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C1418,?,007F2E7F,?,?,?,00000000), ref: 007F3A78

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008B2224), ref: 00832C10
ShellExecuteW.SHELL32(00000000,?,?,008B2224), ref: 00832C17

Strings

runas, xrefs: 00832C0B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 94d6d913f0970774b58d762fa1996a9edc5f86448be653030eb1d29520863eea
Instruction ID: de28ef242564d9c5fc6272fbe641f499f80d8fef5f894218af67873c341b536e
Opcode Fuzzy Hash: 94d6d913f0970774b58d762fa1996a9edc5f86448be653030eb1d29520863eea
Instruction Fuzzy Hash: BF11A131108209EACB15FF64D899ABDBBA5FF91350F44041DB796422A3DF39890A8752

Function 0085DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00835222), ref: 0085DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0085DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0085DBEE
FindClose.KERNEL32(00000000), ref: 0085DBFA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: a19644be1e1ff6b97281f3540785ffb34d1e75f7fb7c8bc9d5732db77a34ec69
Instruction ID: d96a41829cb6bc01b92702f225ae6849d1b07a267e28fd394603835429b840e2
Opcode Fuzzy Hash: a19644be1e1ff6b97281f3540785ffb34d1e75f7fb7c8bc9d5732db77a34ec69
Instruction Fuzzy Hash: BAF03031814A149782306B7CAD4D8AE77ACFF41336B544706FC76C22E4EBB05D5986A5

Function 00814CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000,?,008228E9), ref: 00814D09
TerminateProcess.KERNEL32(00000000,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000,?,008228E9), ref: 00814D10
ExitProcess.KERNEL32 ref: 00814D22

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2cfb6385e8afc846466131f946ec3b290b6e125d91d634a944707aaeea6a8f7d
Instruction ID: fabbeb8717f4dcee93ac0b785d417d9d29fe0f83930dd205b00ca656e9419940
Opcode Fuzzy Hash: 2cfb6385e8afc846466131f946ec3b290b6e125d91d634a944707aaeea6a8f7d
Instruction Fuzzy Hash: 09E0B631000148ABCF11AF58ED09A983B6DFF41B81B104014FC09CA226CB35ED82DB90

Function 007FCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00840C40

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 40c32ad1ec611d1be17667a0faabc101bd3b85d7c2a645be1047b493a7ab2b6d
Instruction ID: 2789e09d06efeac47e292ff4b3f2b2b06ab33a196afb1f6ccf54f3dbcf936fdb
Opcode Fuzzy Hash: 40c32ad1ec611d1be17667a0faabc101bd3b85d7c2a645be1047b493a7ab2b6d
Instruction Fuzzy Hash: CD32687090021CDBCF15DF94CA85AFEB7B5FF04304F248059EA06AB392D779AA45DB61

Function 0087AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0087B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087B1D4
_wcslen.LIBCMT ref: 0087B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087B236
_wcslen.LIBCMT ref: 0087B332

Part of subcall function 008605A7: GetStdHandle.KERNEL32(000000F6), ref: 008605C6

_wcslen.LIBCMT ref: 0087B34B
_wcslen.LIBCMT ref: 0087B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087B3B6
GetLastError.KERNEL32(00000000), ref: 0087B407
CloseHandle.KERNEL32(?), ref: 0087B439
CloseHandle.KERNEL32(00000000), ref: 0087B44A
CloseHandle.KERNEL32(00000000), ref: 0087B45C
CloseHandle.KERNEL32(00000000), ref: 0087B46E
CloseHandle.KERNEL32(?), ref: 0087B4E3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1ef0a0703f5ab0fd91a6f6d03f45e0a02d781dfbbefa60f560d332d1a9fbc96e
Instruction ID: e8ae40dc32cc4be637aef4f30528d73fb8aa1242b3a1832ce730d5b5c59b9fdc
Opcode Fuzzy Hash: 1ef0a0703f5ab0fd91a6f6d03f45e0a02d781dfbbefa60f560d332d1a9fbc96e
Instruction Fuzzy Hash: 1AF18931508204DFC724EF28C895B6ABBE6FF85314F18855DF9998B2A6CB34EC44CB52

Function 007FD730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007FD807
timeGetTime.WINMM ref: 007FDA07
Sleep.KERNELBASE(0000000A), ref: 007FDBB1
Sleep.KERNEL32(0000000A), ref: 00842B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00842C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00842C29
CloseHandle.KERNEL32(?), ref: 00842C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00842CA9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 4dbe54307528073372066701e35c52a179ad20a26e7f712c5213e1bdb8771513
Instruction ID: a6c798bba6e17df08d72ee7a13afebed081af5438276060e28ea9614e26f16be
Opcode Fuzzy Hash: 4dbe54307528073372066701e35c52a179ad20a26e7f712c5213e1bdb8771513
Instruction Fuzzy Hash: 5F42DD7060824ADFDB39DF28C888B7AB7A2FF46304F548519FA5587391D778AC44CB92

Function 007F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007F2D07
RegisterClassExW.USER32(00000030), ref: 007F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007F2D42
InitCommonControlsEx.COMCTL32(?), ref: 007F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007F2D6F
LoadIconW.USER32(000000A9), ref: 007F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007F2D94

Strings

AutoIt v3 GUI, xrefs: 007F2D23
+, xrefs: 007F2CF0
TaskbarCreated, xrefs: 007F2D37
0, xrefs: 007F2CE9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 04640a94588beccf1f80ac401049e67e43e5e2cfc2ceb9f5cfcb166eb22cabec
Instruction ID: eb5743034202e74059348c424944df3af73a758d62da33153fa9d3bcb511decb
Opcode Fuzzy Hash: 04640a94588beccf1f80ac401049e67e43e5e2cfc2ceb9f5cfcb166eb22cabec
Instruction Fuzzy Hash: A421E3B1901218AFDF00EFA8EC89BDDBFB4FB09700F00811AF611A62A5D7B54544CFA1

Function 0083065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0083039A: CreateFileW.KERNELBASE(00000000,00000000,?,00830704,?,?,00000000,?,00830704,00000000,0000000C), ref: 008303B7

GetLastError.KERNEL32 ref: 0083076F
__dosmaperr.LIBCMT ref: 00830776
GetFileType.KERNELBASE(00000000), ref: 00830782
GetLastError.KERNEL32 ref: 0083078C
__dosmaperr.LIBCMT ref: 00830795
CloseHandle.KERNEL32(00000000), ref: 008307B5
CloseHandle.KERNEL32(?), ref: 008308FF
GetLastError.KERNEL32 ref: 00830931
__dosmaperr.LIBCMT ref: 00830938

Strings

H, xrefs: 008308BD

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8cbe9bb6f1cbb6d05879b69a9209501b2b819dd466ffd302987dd8be3ad103e2
Instruction ID: e53c4444a945f3c50ef832a0ba4dfb10332630f82534deb20cb035b915018c8f
Opcode Fuzzy Hash: 8cbe9bb6f1cbb6d05879b69a9209501b2b819dd466ffd302987dd8be3ad103e2
Instruction Fuzzy Hash: 69A1D432A141188FDF19AF68D862BAE7BA0FB46324F14015DF815DB3D2DB319952CF92

Function 007F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C1418,?,007F2E7F,?,?,?,00000000), ref: 007F3A78

Part of subcall function 007F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0083318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008331CE
RegCloseKey.ADVAPI32(?), ref: 00833210
_wcslen.LIBCMT ref: 00833277
_wcslen.LIBCMT ref: 00833286

Strings

Include, xrefs: 00833184, 008331C5
\Include\, xrefs: 007F3527
Software\AutoIt v3\AutoIt, xrefs: 007F3560
\, xrefs: 0083328C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8c47c92d6589bad8581198a328966eac9499a0b82e01332fddd8af4a816da702
Instruction ID: 1d6c6474e3bacc921b0437adf672f3d286ed19667617ce62f86551820cad9386
Opcode Fuzzy Hash: 8c47c92d6589bad8581198a328966eac9499a0b82e01332fddd8af4a816da702
Instruction Fuzzy Hash: 787136714043459EC314EF69EC859ABBBF8FF84740F40452EF645D62B1EB789A48CBA2

Function 007F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007F2B9D
LoadIconW.USER32(00000063), ref: 007F2BB3
LoadIconW.USER32(000000A4), ref: 007F2BC5
LoadIconW.USER32(000000A2), ref: 007F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007F2BEF
RegisterClassExW.USER32(?), ref: 007F2C40

Part of subcall function 007F2CD4: GetSysColorBrush.USER32(0000000F), ref: 007F2D07
Part of subcall function 007F2CD4: RegisterClassExW.USER32(00000030), ref: 007F2D31
Part of subcall function 007F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007F2D42
Part of subcall function 007F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007F2D5F
Part of subcall function 007F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007F2D6F
Part of subcall function 007F2CD4: LoadIconW.USER32(000000A9), ref: 007F2D85
Part of subcall function 007F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007F2D94

Strings

AutoIt v3, xrefs: 007F2C2F
#, xrefs: 007F2C16
0, xrefs: 007F2C0F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f6edfc1d91c01d8d49fdcc496f8a9632729a5addd5215048d7b41e7ff012b59c
Instruction ID: 6138e4b5e3355443343ddc6d443785f4e1705c4021971909e7c33a3cd9a17b5a
Opcode Fuzzy Hash: f6edfc1d91c01d8d49fdcc496f8a9632729a5addd5215048d7b41e7ff012b59c
Instruction Fuzzy Hash: F9211A70E00358ABDF109FB9EC99EA97FB4FB49B54F00401AF600A67A1D7B94550CF90

Function 007F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007F316A,?,?), ref: 007F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007F316A,?,?), ref: 007F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007F316A,?,?), ref: 007F3232
CreatePopupMenu.USER32 ref: 007F3246
PostQuitMessage.USER32(00000000), ref: 007F3267

Strings

TaskbarCreated, xrefs: 007F322D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f2479eee8767a6121ad21b04869de84d70edf2b6a15e7497ce31a50188f49408
Instruction ID: 62f3c3a7af7585839092f36862c976b3933225cbc707743b6232a6147bee3241
Opcode Fuzzy Hash: f2479eee8767a6121ad21b04869de84d70edf2b6a15e7497ce31a50188f49408
Instruction Fuzzy Hash: E741C33124060CEADF152B7C9D8EF793A69F746354F04012AFB16C63A2CB7DDA4497A2

Function 007F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007F1459
CoUninitialize.COMBASE ref: 007F14F8
UnregisterHotKey.USER32(?), ref: 007F16DD
DestroyWindow.USER32(?), ref: 008324B9
FreeLibrary.KERNEL32(?), ref: 0083251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0083254B

Strings

close all, xrefs: 007F1454

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 96691dd79c0c4460727cd5db00ae67e8b74b5c8705de080e8da7503171fd2b7c
Instruction ID: 8e9cf1d6b82a61a3e4e167fbcf9c1f4dce0f5eac0353d10d398d6007242cec30
Opcode Fuzzy Hash: 96691dd79c0c4460727cd5db00ae67e8b74b5c8705de080e8da7503171fd2b7c
Instruction Fuzzy Hash: 83D16A31701216CFCB29EF19C899A29F7A0FF45710F5441ADE64AAB352DB34AD12CF91

Function 007F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007F1CAD,?), ref: 007F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007F1CAD,?), ref: 007F2CCF

Strings

AutoIt v3, xrefs: 007F2C89, 007F2C8E, 007F2C8F
edit, xrefs: 007F2CAC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ee9b516b79a541b80abc447c42b7b96ae55a179cb42d776795333cd133f43fe8
Instruction ID: 50dca62593050c21813bffa3fdbe750f7173679974ff8d186c9efc1bbef6517a
Opcode Fuzzy Hash: ee9b516b79a541b80abc447c42b7b96ae55a179cb42d776795333cd133f43fe8
Instruction Fuzzy Hash: 49F0DA755402D07AEB311727AC8CE772EBDF7C7F54B01005AF900A2AA5C6791850DBB0

Function 0085E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0085E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0085E9A5
Sleep.KERNEL32(00000000), ref: 0085E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0085E9B7
Sleep.KERNELBASE ref: 0085E9F3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6dd8f4947d6fca9b1425aa549ba5e8c34127324d77f8dc4765c693f8be6f1d28
Instruction ID: 846459742f2ca46909d5cd649162310677724ea927921f71877cabbf9267db12
Opcode Fuzzy Hash: 6dd8f4947d6fca9b1425aa549ba5e8c34127324d77f8dc4765c693f8be6f1d28
Instruction Fuzzy Hash: 61015735C0162EDBCF04ABE8DC99AEDBF78FB09302F000546E912F2244DB309658CBA1

Function 007F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B83

Strings

Control Panel\Mouse, xrefs: 007F3B3E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a8616595fff3936cafda3cdbd314205aafa85f23237997616f04fd0cf817f317
Instruction ID: bcbe44f747ff20e40ea6a570d36fab28ab2ba081c8484262a56d0d6b22993b9c
Opcode Fuzzy Hash: a8616595fff3936cafda3cdbd314205aafa85f23237997616f04fd0cf817f317
Instruction Fuzzy Hash: 15112AB5511208FFDB218FA9DC54ABEB7B8EF04784B10445AA905D7210E2359E409760

Function 007F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008333A2

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007F3A04

Strings

Line: , xrefs: 008333EB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b4803854c92178b7e5d67ea5053438df1840ae53682f74b679dc1c341c82d935
Instruction ID: 2ec95e827f3d243f762c6a76dd2d5dcdf1c72269de88168fd52c4e1166554318
Opcode Fuzzy Hash: b4803854c92178b7e5d67ea5053438df1840ae53682f74b679dc1c341c82d935
Instruction Fuzzy Hash: 5131C471408348AAC721EB20DC49FFBB7E8BF41714F10452AF69982392DB789A48C7D2

Function 0080FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00810668

Part of subcall function 008132A4: RaiseException.KERNEL32(?,?,?,0081068A,?,008C1444,?,?,?,?,?,?,0081068A,007F1129,008B8738,007F1129), ref: 00813304

__CxxThrowException@8.LIBVCRUNTIME ref: 00810685

Strings

Unknown exception, xrefs: 00810692

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 86cd6474d87d8f6d9420ef93b544851fc9278f112a91fa359c6558b2250387e0
Instruction ID: 2ef841633e6e478c0988d8361a009086234c83e0ba669e79ac9773c7ebd9b16c
Opcode Fuzzy Hash: 86cd6474d87d8f6d9420ef93b544851fc9278f112a91fa359c6558b2250387e0
Instruction Fuzzy Hash: 7CF0A43490030DA7CB10B6A8DC46CDD776DFE10354B608131BA24D59D2EFB1DAD5C982

Function 007F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F1BF4
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F1BFC
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F1C07
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F1C12
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F1C1A
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F1C22

Part of subcall function 007F1B4A: RegisterWindowMessageW.USER32(00000004,?,007F12C4), ref: 007F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007F136A
OleInitialize.OLE32 ref: 007F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008324AB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: af978699e4f637877fba25bf5ddfc4d206fe200b555bb21928fe04c65225c5f6
Instruction ID: bde74dde62e66524fa86e46d790fddb407b16554f1975b512c8f44a8ad360c7c
Opcode Fuzzy Hash: af978699e4f637877fba25bf5ddfc4d206fe200b555bb21928fe04c65225c5f6
Instruction Fuzzy Hash: 52719BB4915204CECB84EFB9ADCDE657AF1FB8A340754826ED60AC7363EB3484058F55

Function 0085C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0085C259
KillTimer.USER32(?,00000001,?,?), ref: 0085C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0085C270

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: b8ab05db69641a15bb6257e4dd6d40a08ebc9e693f13957be49c8edd31325d1f
Instruction ID: 10f099c8bcb87fa2a4ca2dd91133580721176f55e22dedb60687f282131fe975
Opcode Fuzzy Hash: b8ab05db69641a15bb6257e4dd6d40a08ebc9e693f13957be49c8edd31325d1f
Instruction Fuzzy Hash: 12318470904344AFEB229F648895BE6BBECFB06309F00049EDA9AD7242C7745A88CF51

Function 008286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008285CC,?,008B8CC8,0000000C), ref: 00828704
GetLastError.KERNEL32(?,008285CC,?,008B8CC8,0000000C), ref: 0082870E
__dosmaperr.LIBCMT ref: 00828739

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 792127edb1bce42db0aee994f5a0c1374e00244dd470643864225b02b5c869a3
Instruction ID: 7447546a615ef91ac1d6982936299eec840679cafbbc1a8ebe8ae333280417d2
Opcode Fuzzy Hash: 792127edb1bce42db0aee994f5a0c1374e00244dd470643864225b02b5c869a3
Instruction Fuzzy Hash: 7A012F326065309ADA24A238784DB7E6759FBA2775F35011DFC14CB2D3DEB08CC18251

Function 007FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007FDB7B
DispatchMessageW.USER32(?), ref: 007FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007FDB9F
Sleep.KERNELBASE(0000000A), ref: 007FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00841CC9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c0f744fefee8731bf76b46871a798f992d91f8a20ac3c8ac4d29e75970ebdb0f
Instruction ID: febf5aef3ef8c02184025d024b89ef006b2dbde4a6eb665b34211c47133fc2a6
Opcode Fuzzy Hash: c0f744fefee8731bf76b46871a798f992d91f8a20ac3c8ac4d29e75970ebdb0f
Instruction Fuzzy Hash: 35F05E306483489BEB30DBA88C89FAA73B9FB45350F104A28E61AC30D0DB3494888B25

Function 00801310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008017F6

Strings

CALL, xrefs: 008017C6

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1a69e5e0a4ac332428292f751c124ff772f4a56cf202be5c19a3c1225039ce80
Instruction ID: 09dcbea8708cea28c29af03f0c2d1494fbbc4e7329418584b2dfa743b4ad5ff1
Opcode Fuzzy Hash: 1a69e5e0a4ac332428292f751c124ff772f4a56cf202be5c19a3c1225039ce80
Instruction Fuzzy Hash: 3E229D706082459FCB54DF18C888A2ABBF1FF85324F14892DF596CB3A2D771E951CB92

Function 00881EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

GetWindowTextW.USER32(?,?,00007FFF), ref: 00882043

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Strings

all, xrefs: 00881F09

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$TextWindow
String ID: all
API String ID: 4161112387-991457757
Opcode ID: 4548b5b2bf0816277868482527c7482ad00f5cee3b69bb2effcb79b77775689c
Instruction ID: 391393aa354e253bdeeeda1c496e70913d3b4fa63a83ff4f5551cc5e5fa7b759
Opcode Fuzzy Hash: 4548b5b2bf0816277868482527c7482ad00f5cee3b69bb2effcb79b77775689c
Instruction Fuzzy Hash: 3651BF71204205AFC704EF28C889E6AB7E5FF88314F04891DFA599B392DB35ED45CB92

Function 007F2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00832C8C

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 007F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F2DC4

Strings

X, xrefs: 00832C5A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bc6f41539c357d08d13d291aabe164014c83586df9469cff5ba88084426009e1
Instruction ID: ed2720c9ece0b5d4b4657f8afacd0734037c3a925848977c1c56cc89da666d89
Opcode Fuzzy Hash: bc6f41539c357d08d13d291aabe164014c83586df9469cff5ba88084426009e1
Instruction Fuzzy Hash: B8218171A0029C9BCF01DF98C849BEE7BB8EF49704F108059E505E7345DBB85A898FA1

Function 007F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007F3908

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 70cb26895030711768fa42e33d477190de0ff94b4d1670cdf9fead53a5b79ef5
Instruction ID: 8c2f66331486f673debe8cf0e8fd96505181099be411365fb48a030487075c45
Opcode Fuzzy Hash: 70cb26895030711768fa42e33d477190de0ff94b4d1670cdf9fead53a5b79ef5
Instruction Fuzzy Hash: 37316D705043059FD720DF64D888BA7BBF8FB49748F00092EFA9987351E779AA44CB52

Function 0080F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0080F661

Part of subcall function 007FD730: GetInputState.USER32 ref: 007FD807

Sleep.KERNEL32(00000000), ref: 0084F2DE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 9bf440975c8164480b8aae73e9f918871fed3123d0b85ee0d1a1d3bfdee91007
Instruction ID: f4ff4878392cdea3d6a04a2026d5cc990fc7a9c1f8782ffef350db127699b259
Opcode Fuzzy Hash: 9bf440975c8164480b8aae73e9f918871fed3123d0b85ee0d1a1d3bfdee91007
Instruction Fuzzy Hash: 93F08C31240209DFD350EF69D859B6AB7E9FF49760F004029E959C73A1DBB4A800CBA0

Function 007FB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007FBB4E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 82a1b07442a7eaee357fba8f80295fda93c1445f484bb7167402143e044cb501
Instruction ID: 280bc3260bc888661eb23d8f694f67f2bde879715320d682b02e339caa4a0b0a
Opcode Fuzzy Hash: 82a1b07442a7eaee357fba8f80295fda93c1445f484bb7167402143e044cb501
Instruction Fuzzy Hash: 1C32AD75A0020DDFDB10CF68C894ABAB7B5FF44354F14805AEA15AB3A1D7B8ED41CB91

Function 008813B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00881420

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c1560fa59dfa6252fdaadaff4f74d697cc09bb5e7cb665163fd6d3b97515a467
Instruction ID: 691aa08874a7b0ee810e8f251859140597f7a3a731c4e0bdc6f67f333e262e69
Opcode Fuzzy Hash: c1560fa59dfa6252fdaadaff4f74d697cc09bb5e7cb665163fd6d3b97515a467
Instruction Fuzzy Hash: 4D318031604207AFDB14EF29C499B69F7A6FF45328F048168E8168B392DB35EC46CBD1

Function 007F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E9C
Part of subcall function 007F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007F4EAE
Part of subcall function 007F4E90: FreeLibrary.KERNEL32(00000000,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EFD

Part of subcall function 007F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E62
Part of subcall function 007F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007F4E74
Part of subcall function 007F4E59: FreeLibrary.KERNEL32(00000000,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E87

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 17ad50ce30d85fc6355d0b43f47d8dc359a5a6db42ba710fbd54fd8254272067
Instruction ID: f629b831cf13ad31b7614ba089e295b901b36c3d97b75a8efc7d8b356a6447f9
Opcode Fuzzy Hash: 17ad50ce30d85fc6355d0b43f47d8dc359a5a6db42ba710fbd54fd8254272067
Instruction Fuzzy Hash: 2611E332610209EBCB14BB64DC0AFBE77E5AF40710F10842DF646E62C1EF789A45A7A0

Function 00828402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00828440

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 22f5b11b69c2ef2719bf652cd85ab14f88f28a655444a0971a33d345e40d15e8
Instruction ID: ba02098c7385ca140eb1430253c7d523c5bb3062336529f62cf29a3d5aaad34d
Opcode Fuzzy Hash: 22f5b11b69c2ef2719bf652cd85ab14f88f28a655444a0971a33d345e40d15e8
Instruction Fuzzy Hash: 5811067590410AEFCF05DF58E94199A7BF9FF48314F14405AF808EB312DA31DA218BA5

Function 00825000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00824C7D: RtlAllocateHeap.NTDLL(00000008,007F1129,00000000,?,00822E29,00000001,00000364,?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?), ref: 00824CBE

_free.LIBCMT ref: 0082506C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1f97c7b39fb581679d559c53cb2dafc865bb666c8b19f6f9493af462b979c03c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: DB012672244B146BE321CF69AC81A5AFBECFB89370F65051DE584C32C0EA30A885C6B4

Function 008829BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,008814B5,?), ref: 00882A01

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b32eb7e95956db123b90f79aef8bb543d7a3dacebf2056e593f8f179d0a75ab8
Instruction ID: f6c10906700112d2aa86d37605d14463e27e8e302ec8b5056f079a0987081b75
Opcode Fuzzy Hash: b32eb7e95956db123b90f79aef8bb543d7a3dacebf2056e593f8f179d0a75ab8
Instruction Fuzzy Hash: 9501B136340A629FD328EA2CC454F223B92FF85318F298468C047CB251DB32FC42C7A0

Function 0081E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1f5ba6f03b8dabbc4d317a22f264e0cbd184f63cb0637651bdd7d2de5b2be2ab
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E6F0D132511A24AACA312E6DAC05BDA379CFF62334F500715FC26D22D2CB70A881C6A6

Function 00824C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007F1129,00000000,?,00822E29,00000001,00000364,?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?), ref: 00824CBE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9bb49166ed4a23e9780c2d62c12f7116888ae54ec76c0d4dc4ff509a4e1f0a9
Instruction ID: a6ef0fe8d4760cbebe4a3d758eed4a4d5a9e168933a92a5ee4d28b828b5148b4
Opcode Fuzzy Hash: a9bb49166ed4a23e9780c2d62c12f7116888ae54ec76c0d4dc4ff509a4e1f0a9
Instruction Fuzzy Hash: FEF0E931602234A7DB215F7EFC09F9A378CFF417B0B146121BC15E6285CAB1D88186F1

Function 00823820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d14d65e5dba3abe7ce1b15b2bdd6d411952eb47c31ca71232c0295a3a1b40e51
Instruction ID: b65f7404668e28e078df1a8830f7cf44f7cdd6c39ddaeaddfb348da399785dc5
Opcode Fuzzy Hash: d14d65e5dba3abe7ce1b15b2bdd6d411952eb47c31ca71232c0295a3a1b40e51
Instruction Fuzzy Hash: F2E0E53210023457D621267ABC14BDA375DFF42BB0F160030BD15DA681CB69DE8182E1

Function 007F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4F6D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b86b2b4f5ef02335a4b59b4bd0a9c9af918396dc41b5c44a66614d9ce73d107c
Instruction ID: 431307fa319e33964c24c654b0986aafd708ef6fa58371a869fa7b1e00b93fb7
Opcode Fuzzy Hash: b86b2b4f5ef02335a4b59b4bd0a9c9af918396dc41b5c44a66614d9ce73d107c
Instruction Fuzzy Hash: A5F03971505756CFDB349F64D494823BBE4FF14329328897EE2EE82621CB359888DF10

Function 00882A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00882A66

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 213b61f92e40c6efab453c1ffffe3a7851abbf3d495e435e29e6d71bef0811dc
Instruction ID: 4c398a1968c740a3750e10bc76dbaa7a951d8c37541ab78d0a6282176a6990f2
Opcode Fuzzy Hash: 213b61f92e40c6efab453c1ffffe3a7851abbf3d495e435e29e6d71bef0811dc
Instruction Fuzzy Hash: 0CE04F7635012AAAC718FA34DC809FA775CFF50399710453AAC26C2141EB30999987A0

Function 007F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007F314E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d7bdd2a069ebfe5a7fef7f6a0654bb6583e578f48b14208a383151ae13d45e79
Instruction ID: 35dbab3c7c150d755b22f86d0e3ae5735514620dac0cdbc22724aab5c7cd7c3e
Opcode Fuzzy Hash: d7bdd2a069ebfe5a7fef7f6a0654bb6583e578f48b14208a383151ae13d45e79
Instruction Fuzzy Hash: 66F037709143589FEB529B24DC89BD5BBBCBB0170CF0000E5A64896397D7745798CF51

Function 007F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F2DC4

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 00f72b4bc199878ecdd9f5b7e4759cb0cd902aaec5b2a9f7b1820277c0d7b206
Instruction ID: f6cf4fa0a481ba3e814c062ef016e21110fd5f9f41e528c176d82a11799ef21d
Opcode Fuzzy Hash: 00f72b4bc199878ecdd9f5b7e4759cb0cd902aaec5b2a9f7b1820277c0d7b206
Instruction Fuzzy Hash: BCE0CD726001245BCB10925C9C09FEA77DDEFC8790F040071FD09D724CDA74AD808691

Function 007F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007F3908

Part of subcall function 007FD730: GetInputState.USER32 ref: 007FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007F2B6B

Part of subcall function 007F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007F314E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 43c0e44c2420e594218451440f3b555788c1208f125c5d8cc984c5648922bf47
Instruction ID: 26b207e953431f9d54fe1eb384c75de9610b0da1e40d25aee5b435978f3bb37c
Opcode Fuzzy Hash: 43c0e44c2420e594218451440f3b555788c1208f125c5d8cc984c5648922bf47
Instruction Fuzzy Hash: 43E0863130424C86CA08BB75A89E97DA75AEBD2352F40153EF74287363DE3D894A4361

Function 0083039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00830704,?,?,00000000,?,00830704,00000000,0000000C), ref: 008303B7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59ee99d94f4f68d738ea8022da8f4ee2c43462b26afedbfce6609e0e97e24434
Instruction ID: 1c0e5716b407b8bb30ceb2f083c61ed22da02c689a4fa340e1652895c5f636c5
Opcode Fuzzy Hash: 59ee99d94f4f68d738ea8022da8f4ee2c43462b26afedbfce6609e0e97e24434
Instruction Fuzzy Hash: 70D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014000BE1856021C732E821AB90

Function 007F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007F1CBC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7651f87d31b2cefdcd8d8db82d4bbe90d8f4032d35f840c1c30aae83b1e292fd
Instruction ID: 1541e781c9984c68a6dca7dd384d6b7482f6694353f5f5042645d513d36a93ab
Opcode Fuzzy Hash: 7651f87d31b2cefdcd8d8db82d4bbe90d8f4032d35f840c1c30aae83b1e292fd
Instruction Fuzzy Hash: 63C09236280304AFFA149B94BC8EF117774B788B04F048002F609A9AE3C3F22820EB60

Non-executed Functions

Function 00889576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0088961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0088969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008896C9
SendMessageW.USER32 ref: 008896F2
GetKeyState.USER32(00000011), ref: 0088978B
GetKeyState.USER32(00000009), ref: 00889798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008897AE
GetKeyState.USER32(00000010), ref: 008897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008897E9
SendMessageW.USER32 ref: 00889810
SendMessageW.USER32(?,00001030,?,00887E95), ref: 00889918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0088992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00889941
SetCapture.USER32(?), ref: 0088994A
ClientToScreen.USER32(?,?), ref: 008899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008899D6
ReleaseCapture.USER32 ref: 008899E1
GetCursorPos.USER32(?), ref: 00889A19
ScreenToClient.USER32(?,?), ref: 00889A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00889A80
SendMessageW.USER32 ref: 00889AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00889AEB
SendMessageW.USER32 ref: 00889B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00889B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00889B4A
GetCursorPos.USER32(?), ref: 00889B68
ScreenToClient.USER32(?,?), ref: 00889B75
GetParent.USER32(?), ref: 00889B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00889BFA
SendMessageW.USER32 ref: 00889C2B
ClientToScreen.USER32(?,?), ref: 00889C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00889CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00889CDE
SendMessageW.USER32 ref: 00889D01
ClientToScreen.USER32(?,?), ref: 00889D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00889D82

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

GetWindowLongW.USER32(?,000000F0), ref: 00889E05

Strings

@GUI_DRAGID, xrefs: 0088997D
F, xrefs: 00889D07

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8213d21073070c427425462af7db6841e77f54aa149b9111cd4cd5f27bd23476
Instruction ID: 452b8bcfcf27f2270e3d772a8d75e67300a9fa699b9ef4e3c3b7952c91847be3
Opcode Fuzzy Hash: 8213d21073070c427425462af7db6841e77f54aa149b9111cd4cd5f27bd23476
Instruction Fuzzy Hash: CB427974204201AFDB25EF68CC88EBABBE5FF59314F18061DF699C72A1E731A854CB51

Function 00884873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00884908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00884927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0088494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0088495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0088497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00884A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00884A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00884A7E
IsMenu.USER32(?), ref: 00884A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00884AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00884B20
GetWindowLongW.USER32(?,000000F0), ref: 00884B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00884BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00884C82
wsprintfW.USER32 ref: 00884CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00884CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00884CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00884D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00884D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00884D5A

Strings

%d/%02d/%02d, xrefs: 00884CA8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ff2e3e8bd65ade78186b657fa34266f0aadb39c91b68ff2cabb689d1fbccafe5
Instruction ID: 20fdcf87fa1ab7bb3e0173d165a6b6167d5c4dd330b3a59d1ecbc593db2ccc8c
Opcode Fuzzy Hash: ff2e3e8bd65ade78186b657fa34266f0aadb39c91b68ff2cabb689d1fbccafe5
Instruction Fuzzy Hash: 9312E07260025AABEB24AF28CC49FAE7BF8FF45714F105129F516EB2E1DB749940CB50

Function 00851201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
Part of subcall function 008516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
Part of subcall function 008516C3: GetLastError.KERNEL32 ref: 0085174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00851286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008512A8
CloseHandle.KERNEL32(?), ref: 008512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008512D1
GetProcessWindowStation.USER32 ref: 008512EA
SetProcessWindowStation.USER32(00000000), ref: 008512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00851310

Part of subcall function 008510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008511FC), ref: 008510D4
Part of subcall function 008510BF: CloseHandle.KERNEL32(?,?,008511FC), ref: 008510E9

Strings

winsta0, xrefs: 008512CC
, xrefs: 0085125A
default, xrefs: 0085130B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1da47a073dab4e969563c3d38c5bdad611b51ca3165dd5f97326bfb5145a6843
Instruction ID: 5b00675c4e0c84e43c4df60ba4ba7ed64ac35c1797abfcf2d60f969f96285579
Opcode Fuzzy Hash: 1da47a073dab4e969563c3d38c5bdad611b51ca3165dd5f97326bfb5145a6843
Instruction Fuzzy Hash: D3817971900209AFDF219FA8DC89FEE7BBAFF04705F145129F910E62A0D7749948CB25

Function 00850B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
Part of subcall function 008510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
Part of subcall function 008510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
Part of subcall function 008510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00850BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00850C00
GetLengthSid.ADVAPI32(?), ref: 00850C17
GetAce.ADVAPI32(?,00000000,?), ref: 00850C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00850C6D
GetLengthSid.ADVAPI32(?), ref: 00850C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00850C8C
HeapAlloc.KERNEL32(00000000), ref: 00850C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00850CB4
CopySid.ADVAPI32(00000000), ref: 00850CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00850CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00850D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00850D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D45
HeapFree.KERNEL32(00000000), ref: 00850D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D55
HeapFree.KERNEL32(00000000), ref: 00850D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D65
HeapFree.KERNEL32(00000000), ref: 00850D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00850D78
HeapFree.KERNEL32(00000000), ref: 00850D7F

Part of subcall function 00851193: GetProcessHeap.KERNEL32(00000008,00850BB1,?,00000000,?,00850BB1,?), ref: 008511A1
Part of subcall function 00851193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00850BB1,?), ref: 008511A8
Part of subcall function 00851193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00850BB1,?), ref: 008511B7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 12deda7d980606a289d38b4f98b189666f938e97bb1e237f6643cd7587b04c4f
Instruction ID: 181c0eaee1ce065072441d2c1b5b000674b0e35a9a12e97a6979f318c49a053a
Opcode Fuzzy Hash: 12deda7d980606a289d38b4f98b189666f938e97bb1e237f6643cd7587b04c4f
Instruction Fuzzy Hash: 0A71497690020AABEF109FA8DC88BEEBBB8FF05341F144615ED14E6195D775A909CF60

Function 0086EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0088CC08), ref: 0086EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0086EB37
GetClipboardData.USER32(0000000D), ref: 0086EB43
CloseClipboard.USER32 ref: 0086EB4F
GlobalLock.KERNEL32(00000000), ref: 0086EB87
CloseClipboard.USER32 ref: 0086EB91
GlobalUnlock.KERNEL32(00000000), ref: 0086EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0086EBC9
GetClipboardData.USER32(00000001), ref: 0086EBD1
GlobalLock.KERNEL32(00000000), ref: 0086EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0086EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0086EC38
GetClipboardData.USER32(0000000F), ref: 0086EC44
GlobalLock.KERNEL32(00000000), ref: 0086EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0086EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0086EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0086ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0086ECF3
CountClipboardFormats.USER32 ref: 0086ED14
CloseClipboard.USER32 ref: 0086ED59

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 54d6cd98dda49b292154baddf555ac359b2ff9172c0108c571fbf7dcb91b197b
Instruction ID: b6d470770b4dce4f4e69b74431d041813e4256e94c17f359ca77a5db841a10c2
Opcode Fuzzy Hash: 54d6cd98dda49b292154baddf555ac359b2ff9172c0108c571fbf7dcb91b197b
Instruction Fuzzy Hash: FE61BD38204205AFD300EF28D888F7AB7A4FF84754F15451DF556D72A6DB31E945CBA2

Function 0086698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008669BE
FindClose.KERNEL32(00000000), ref: 00866A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00866A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00866A75

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00866AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00866ADF

Strings

%4d, xrefs: 00866BB1
%03d, xrefs: 00866DA2
%02d, xrefs: 00866C00, 00866C0A, 00866C5A, 00866CAA, 00866CFA, 00866D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00866B32
%4d%02d%02d%02d%02d%02d, xrefs: 00866B6A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9c220c5128943c4d6e1d9ff8bc5f1c10f1cd3cf9c42e65160959eda85f9c04eb
Instruction ID: 551dd84aef8e78e04dbfd2dfc10cc264c3609125d907578b5152065acb891de0
Opcode Fuzzy Hash: 9c220c5128943c4d6e1d9ff8bc5f1c10f1cd3cf9c42e65160959eda85f9c04eb
Instruction Fuzzy Hash: 87D15F72508344AEC314EBA4C995EBBB7ECFF88704F44491DF685D6291EB38DA04CB62

Function 00869642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00869663
GetFileAttributesW.KERNEL32(?), ref: 008696A1
SetFileAttributesW.KERNEL32(?,?), ref: 008696BB
FindNextFileW.KERNEL32(00000000,?), ref: 008696D3
FindClose.KERNEL32(00000000), ref: 008696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0086974A
SetCurrentDirectoryW.KERNEL32(008B6B7C), ref: 00869768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00869772
FindClose.KERNEL32(00000000), ref: 0086977F
FindClose.KERNEL32(00000000), ref: 0086978F

Strings

*.*, xrefs: 008696F5

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d2151662db4c171d7e5bd7b2cb08a678617041f26a37a9189bb34ec002c49297
Instruction ID: 1ccfb0725b19f64627230e28482b463825a9d6a6f916d3993835ddda2bdebd87
Opcode Fuzzy Hash: d2151662db4c171d7e5bd7b2cb08a678617041f26a37a9189bb34ec002c49297
Instruction Fuzzy Hash: 8931A232541219AADF14AFB8EC49EEE77ACFF49320F114165F955E21D0EB34D9848B24

Function 0086979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 008697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00869819
FindClose.KERNEL32(00000000), ref: 00869824
FindFirstFileW.KERNEL32(*.*,?), ref: 00869840
SetCurrentDirectoryW.KERNEL32(?), ref: 00869890
SetCurrentDirectoryW.KERNEL32(008B6B7C), ref: 008698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008698B8
FindClose.KERNEL32(00000000), ref: 008698C5
FindClose.KERNEL32(00000000), ref: 008698D5

Part of subcall function 0085DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0085DB00

Strings

*.*, xrefs: 0086983B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4480899fb7edccde309861d01c4fd782b7f18e10721364b49ca4f398cac89fd8
Instruction ID: d0d1aa36acdee736134822a8220b7c2c97cfa356f283f5f9ed9deefce26774de
Opcode Fuzzy Hash: 4480899fb7edccde309861d01c4fd782b7f18e10721364b49ca4f398cac89fd8
Instruction Fuzzy Hash: 8A31C332540219AADB10AFB8EC48ADE77ACFF4A320F114165E890E32D4EB35D985CB60

Function 0087BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0087BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0087BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0087C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0087C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0087C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0087C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0087C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0087C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0087C382
RegCloseKey.ADVAPI32(00000000), ref: 0087C38F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 225c90f8bb20b4003ada2de84941717cec43bf31d8d7b70278726a80c43ed987
Instruction ID: 82b6359ec5943a8cc763cf8f7245e1a9ca083024ee959d353843fe0c564a69a2
Opcode Fuzzy Hash: 225c90f8bb20b4003ada2de84941717cec43bf31d8d7b70278726a80c43ed987
Instruction Fuzzy Hash: B9023A71604204AFC714DF28C895E2ABBE5FF89318F18C49DE84ADB2A6DB31ED45CB51

Function 00868195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00868257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00868267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00868273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00868310
SetCurrentDirectoryW.KERNEL32(?), ref: 00868324
SetCurrentDirectoryW.KERNEL32(?), ref: 00868356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0086838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00868395

Strings

*.*, xrefs: 0086839B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 67b653cf1c5dec2acdfbf8b933f6d18c8442f3785486ad47a9d785a0afebd506
Instruction ID: 24e59f56ec000a704e23e9cd37b885a552d850b1e5f8794576be6c1a0517eb28
Opcode Fuzzy Hash: 67b653cf1c5dec2acdfbf8b933f6d18c8442f3785486ad47a9d785a0afebd506
Instruction Fuzzy Hash: 276146B2504309DFCB10EF64C8449AEB3E8FF89314F05891AEA99C7351EB35E945CB92

Function 0085D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

FindFirstFileW.KERNEL32(?,?), ref: 0085D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0085D1DD
MoveFileW.KERNEL32(?,?), ref: 0085D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0085D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0085D237

Part of subcall function 0085D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0085D21C,?,?), ref: 0085D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0085D253
FindClose.KERNEL32(00000000), ref: 0085D264

Strings

\*.*, xrefs: 0085D0CD, 0085D0D6, 0085D0EB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9f05fba601fd3c683c81102937ad19274438422bec1c3873234666005d618cda
Instruction ID: f1a9139ab18968e9e6ed5ca0b2727ee5aa881cf50519a068748a65e7fbcbb45d
Opcode Fuzzy Hash: 9f05fba601fd3c683c81102937ad19274438422bec1c3873234666005d618cda
Instruction Fuzzy Hash: 9B61463180120DEACF15EBA4CA969FDB7B5FF15342F204165E906B7291EB34AF09CB61

Function 0086ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0086ED91
EmptyClipboard.USER32 ref: 0086ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0086EDAC
CloseClipboard.USER32 ref: 0086EEA3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 52fe6af8966039459df7f5a61e2e46ec45ccd2e01e30d3ac03dee4381aeb76a3
Instruction ID: 7e2ab05b68a360ee4013a64328ab63ff673018e1c0ada7bbff96724b4f1892da
Opcode Fuzzy Hash: 52fe6af8966039459df7f5a61e2e46ec45ccd2e01e30d3ac03dee4381aeb76a3
Instruction Fuzzy Hash: 09416C39604611AFE721DF19E888B29BBE5FF44328F15C099E419CB7A2D776EC41CB90

Function 0085E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
Part of subcall function 008516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
Part of subcall function 008516C3: GetLastError.KERNEL32 ref: 0085174A

ExitWindowsEx.USER32(?,00000000), ref: 0085E932

Strings

, xrefs: 0085E95C
@, xrefs: 0085E925
, xrefs: 0085E920
SeShutdownPrivilege, xrefs: 0085E902

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 02de051166edab191b0b2ed7ec5c48c962eb93eeadea4a5a6120e27e856febfa
Instruction ID: faee2b8ebb1520e5a88197c0d81cc206d709f0d998799e9b7bad34bffd8e7c14
Opcode Fuzzy Hash: 02de051166edab191b0b2ed7ec5c48c962eb93eeadea4a5a6120e27e856febfa
Instruction Fuzzy Hash: 3C014E72A10214AFEF182678AC8AFBF769CFB14747F140422FC13E21D1D6745D4882A1

Function 00871204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00871276
WSAGetLastError.WSOCK32 ref: 00871283
bind.WSOCK32(00000000,?,00000010), ref: 008712BA
WSAGetLastError.WSOCK32 ref: 008712C5
closesocket.WSOCK32(00000000), ref: 008712F4
listen.WSOCK32(00000000,00000005), ref: 00871303
WSAGetLastError.WSOCK32 ref: 0087130D
closesocket.WSOCK32(00000000), ref: 0087133C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ebaf3ecdc27fdb900ab2d2e097a78a764a1cba26729c0208983ad331d2a4b3d0
Instruction ID: e177f127aea54ff922bbdc57bbd0d278a9e98b15ace0c2b4e211c4de672ec360
Opcode Fuzzy Hash: ebaf3ecdc27fdb900ab2d2e097a78a764a1cba26729c0208983ad331d2a4b3d0
Instruction Fuzzy Hash: E7414C316001049FDB10DF68C488B29BBE6FF46318F18C198E95A9B79AC775ED85CBA1

Function 0082B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0082B9D4
_free.LIBCMT ref: 0082B9F8
_free.LIBCMT ref: 0082BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00893700), ref: 0082BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0082BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008C1270,000000FF,?,0000003F,00000000,?), ref: 0082BC36
_free.LIBCMT ref: 0082BD4B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 012dd405bd6a5d8f5d9a8051de7bc5b8b057a339544c774e0d3205b48584f2ef
Instruction ID: 2910c18afd50112d52a976539c39d89bd4b05f086da2d6c46a6daa0a5428c3e7
Opcode Fuzzy Hash: 012dd405bd6a5d8f5d9a8051de7bc5b8b057a339544c774e0d3205b48584f2ef
Instruction Fuzzy Hash: A0C13A71906229AFCB10DF68BC45BAEBBB8FF46320F14416AE495D7252EB309EC1C751

Function 0085D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

FindFirstFileW.KERNEL32(?,?), ref: 0085D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0085D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0085D481
FindClose.KERNEL32(00000000), ref: 0085D498
FindClose.KERNEL32(00000000), ref: 0085D4A1

Strings

\*.*, xrefs: 0085D3F2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ac080be3be8cd590586cebcc46e5f86019bbfe2ff18abccafcb77d09635c8235
Instruction ID: cbf03d32c1d50d6ad2c9ca067983b3084ef45c6da1a477832900e42336aa5efa
Opcode Fuzzy Hash: ac080be3be8cd590586cebcc46e5f86019bbfe2ff18abccafcb77d09635c8235
Instruction Fuzzy Hash: 89319E71008349EBC311EF64C8958BFB7E8BE91305F404A2DF9D592291EB34AA0DC767

Function 0082E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0082E645

Strings

1#SNAN, xrefs: 0082F844
1#INF, xrefs: 0082F852
1#QNAN, xrefs: 0082F84B
1#IND, xrefs: 0082F83D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2ffbd6c7e5528cb2bf8b66ba5e3b391e9bdb32b7fe46bbd3bfdc15c3f3bd0eeb
Instruction ID: fcfcfe5033c44d60321c41d05cea7e6624bf99a94c3a7399cca0f986f6cd0166
Opcode Fuzzy Hash: 2ffbd6c7e5528cb2bf8b66ba5e3b391e9bdb32b7fe46bbd3bfdc15c3f3bd0eeb
Instruction Fuzzy Hash: B9C21671E086288FDB25CE28AD407EAB7B5FB48305F1441EAD94EE7241E774AE81CF44

Function 0086648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008664DC
CoInitialize.OLE32(00000000), ref: 00866639
CoCreateInstance.OLE32(0088FCF8,00000000,00000001,0088FB68,?), ref: 00866650
CoUninitialize.OLE32 ref: 008668D4

Strings

.lnk, xrefs: 008664BA, 00866524, 008665E0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d68d7842dddb9672527d4f9bd803d88347f6dc96e70c4dc4b54ca3a1ef4dd96e
Instruction ID: c95327331907631dd41fc144a20d5db873b6527502a73b2625ed430f6f5c2493
Opcode Fuzzy Hash: d68d7842dddb9672527d4f9bd803d88347f6dc96e70c4dc4b54ca3a1ef4dd96e
Instruction Fuzzy Hash: A1D159715082459FC304EF24C885A6BB7E9FF94704F14496DF696CB2A1EB70E905CBA2

Function 008722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008722E8

Part of subcall function 0086E4EC: GetWindowRect.USER32(?,?), ref: 0086E504

GetDesktopWindow.USER32 ref: 00872312
GetWindowRect.USER32(00000000), ref: 00872319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00872355
GetCursorPos.USER32(?), ref: 00872381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008723DF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 044f74e4b8ca6445a10e22b8db41b77e5d5652572895c83b6c8b1e69cc2d7df5
Instruction ID: af8497e8e04170fae1d9a7cb0c1dce4f41790085cc6bf60330fc8ce964bd4641
Opcode Fuzzy Hash: 044f74e4b8ca6445a10e22b8db41b77e5d5652572895c83b6c8b1e69cc2d7df5
Instruction Fuzzy Hash: 9E31D072504315AFDB20DF58D845B5BBBAAFF84314F004919F989D7291DB34EA08CBA2

Function 00869B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00869B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00869C8B

Part of subcall function 00863874: GetInputState.USER32 ref: 008638CB
Part of subcall function 00863874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00863966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00869BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00869C75

Strings

*.*, xrefs: 00869B5D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 1692ffb75ff3447a77d469b3144ad852d2c9153f50bac02d1d3c7915e50224d5
Instruction ID: 55954d69814c4a3cef8d6c4244639d5c0c7a836225c0d05d752f6c49998924c9
Opcode Fuzzy Hash: 1692ffb75ff3447a77d469b3144ad852d2c9153f50bac02d1d3c7915e50224d5
Instruction Fuzzy Hash: 25416D7190020AAFCF15DF64C989AEEBBB8FF05350F244055E955E22D1EB349E84CF61

Function 0080997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00809A4E
GetSysColor.USER32(0000000F), ref: 00809B23
SetBkColor.GDI32(?,00000000), ref: 00809B36

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0718cdb50abbc092f3323dfa7e499283f64da17b2e739d29f959db2028d7d930
Instruction ID: 0a65dfa67c8a251faf71c5959881d6799336fbecbf1df792c3bc8c89fec3bdc3
Opcode Fuzzy Hash: 0718cdb50abbc092f3323dfa7e499283f64da17b2e739d29f959db2028d7d930
Instruction Fuzzy Hash: 27A1087030946CAEE768AA2C8C98E7B3A9DFB86354F150119F582D66D3CB35DD01C376

Function 00871806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
Part of subcall function 0087304E: _wcslen.LIBCMT ref: 0087309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0087185D
WSAGetLastError.WSOCK32 ref: 00871884
bind.WSOCK32(00000000,?,00000010), ref: 008718DB
WSAGetLastError.WSOCK32 ref: 008718E6
closesocket.WSOCK32(00000000), ref: 00871915

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6a5cb8da466419056111ab98c8222966eef69cf30138ee2ef1a36cbbbe82a819
Instruction ID: 0d6d82bd09b6509648f919a263bc51d44dde548b96babcc2001719084bbb6140
Opcode Fuzzy Hash: 6a5cb8da466419056111ab98c8222966eef69cf30138ee2ef1a36cbbbe82a819
Instruction Fuzzy Hash: 7A519471A002049FDB10AF28C88AF3A77E5EB44718F188058FA099F3D7C775ED418BA1

Function 00881C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00881CC0
IsWindowEnabled.USER32 ref: 00881CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00881CDB
IsIconic.USER32 ref: 00881CE9
IsZoomed.USER32 ref: 00881CF7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 86ed82cddcdd09ecf0435174b8c126e8dff9073c33a72666ee1dcdde5807fa63
Instruction ID: 9a5df8f22728913ac42345a6dd1376a8df4efc8d735b8016fedf1cd6f5b1500d
Opcode Fuzzy Hash: 86ed82cddcdd09ecf0435174b8c126e8dff9073c33a72666ee1dcdde5807fa63
Instruction Fuzzy Hash: 672186317402119FDB21AF1AD848B667BEAFF95315B198068E845CB352DB75DC43CB90

Function 007F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 007F813C
VUUU, xrefs: 007F83E8
VUUU, xrefs: 007F843C
VUUU, xrefs: 00835DF0
VUUU, xrefs: 007F83FA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 43f640ea131058fe7d241bcbb7e640ac6bde98ae42144db810fdfc694605e3a5
Instruction ID: a54a845e8566702c27d4aec5f390295341f7f492e48caa71b0a1c86a672d89aa
Opcode Fuzzy Hash: 43f640ea131058fe7d241bcbb7e640ac6bde98ae42144db810fdfc694605e3a5
Instruction Fuzzy Hash: A0A25970A0061ECBDF64CF58C8407BEB7B1FB94314F2481AAE915EB385EB749D918B91

Function 0087A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0087A6BA

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0087A79C
CloseHandle.KERNEL32(00000000), ref: 0087A7AB

Part of subcall function 0080CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00833303,?), ref: 0080CE8A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8a6dfaa8e75e336c67667f3542cd42e1f8ddeeba2b3cd3eaf310351b876ec64
Instruction ID: aac911db82d560d066e0dde8508c02b43b9daa3a10170b648894474006601f9d
Opcode Fuzzy Hash: d8a6dfaa8e75e336c67667f3542cd42e1f8ddeeba2b3cd3eaf310351b876ec64
Instruction Fuzzy Hash: 29512C715083049FD714EF24C886A6BBBE8FF89754F00892DF689D7292EB34D904CB92

Function 0085AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0085AAAC
SetKeyboardState.USER32(00000080), ref: 0085AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0085AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0085AB88

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: af6b6818db082854e6ee0de20c85cbb3247e3507d245d04d322a5470cc73d01d
Instruction ID: 39009bb5164a61b242646ee64f3d86554842c0ff8bd4faff882414b5db37bc8c
Opcode Fuzzy Hash: af6b6818db082854e6ee0de20c85cbb3247e3507d245d04d322a5470cc73d01d
Instruction Fuzzy Hash: 4531EC30A40258AEEF39CA688C85BFA77A6FB54322F04431AF981D61D1D3758949C7A3

Function 0086CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0086CE89
GetLastError.KERNEL32(?,00000000), ref: 0086CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0086CEFE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a0887ca5bcc33ecfa113230d8e0bb7f3d741ade2927f8f5b1961b33e94b0af0e
Instruction ID: 38bffa5bda4c9d95bb9745629fd5600957b0de705ea5436700ac881bc8cdfa16
Opcode Fuzzy Hash: a0887ca5bcc33ecfa113230d8e0bb7f3d741ade2927f8f5b1961b33e94b0af0e
Instruction Fuzzy Hash: 45219DB16003059BDB20DF69D988BA6B7FCFF50358F11441EE686D2151EB75EE44CB60

Function 00858298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008582AA

Strings

|, xrefs: 008582DA
(, xrefs: 008582F0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 99a3918c31aff8e086d31c8bed55e172f5cf00e7b5dd5e53a2b0371a858e80eb
Instruction ID: cb539449fc29259e60ec4d182003fe68c9a6f9097a15ce7bbd90077f9955fa7a
Opcode Fuzzy Hash: 99a3918c31aff8e086d31c8bed55e172f5cf00e7b5dd5e53a2b0371a858e80eb
Instruction Fuzzy Hash: 33323775A00605DFCB28CF59C4819AAB7F0FF48710B15C46EE99AEB3A1EB70E941CB40

Function 00865C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00865CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00865D17
FindClose.KERNEL32(?), ref: 00865D5F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d2ce2cb431bd00bbcc57d68cc4a44d5bab0fb4c498c643acfcec2e353765315d
Instruction ID: 51ac26419e66d060db831ffd65e80f0d07dcae6dc06ca63b2d2f48e4ef195bcf
Opcode Fuzzy Hash: d2ce2cb431bd00bbcc57d68cc4a44d5bab0fb4c498c643acfcec2e353765315d
Instruction Fuzzy Hash: 57518975604A059FC714CF28C498A9AB7E4FF49324F15856DE95ACB3A2CB30ED44CB91

Function 00822622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0082271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00822724
UnhandledExceptionFilter.KERNEL32(?), ref: 00822731

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: afc4be70d71d6650e17145774bc7cac9cc0018c8868660d0cb0a8c1dac1ae6fd
Instruction ID: 5903b2b570547aaac01ebd2a10ee1a39c02f8c17c5f81c8687202e5d092d33b5
Opcode Fuzzy Hash: afc4be70d71d6650e17145774bc7cac9cc0018c8868660d0cb0a8c1dac1ae6fd
Instruction Fuzzy Hash: 1531B475911228ABCB21DF68DC897D9B7B8FF08310F5041EAE41CA6261E7709FC18F55

Function 008651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00865238
SetErrorMode.KERNEL32(00000000), ref: 008652A1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 57dffb82a43d56be12cf5aed171ae1dae623d2330f811196c0e46c4a952c5a82
Instruction ID: 53f1ab243bb43b2118e91414614de04e0471b07b8a2db7b7c73e5823b177aac4
Opcode Fuzzy Hash: 57dffb82a43d56be12cf5aed171ae1dae623d2330f811196c0e46c4a952c5a82
Instruction Fuzzy Hash: E3317C35A00508DFDB00DF54D8C8EADBBB4FF08314F098099E905AB3A2CB35E856CBA0

Function 008516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0080FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00810668
Part of subcall function 0080FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00810685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
GetLastError.KERNEL32 ref: 0085174A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 318ebc5cb2cc0b826a15a2f686fa077383d2e3413bb6b81633675836551b321d
Instruction ID: 7fbf9638b0dc111fee8b8f5f9f64458610e302d8ed92c047b0612d7b552bf895
Opcode Fuzzy Hash: 318ebc5cb2cc0b826a15a2f686fa077383d2e3413bb6b81633675836551b321d
Instruction Fuzzy Hash: C611C4B1400305AFDB189F68DC86E6BB7F9FB44755B20C52EE45693645EB70BC458B20

Function 0085D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0085D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0085D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0085D650

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d5065f7d2170ef2bb8648c8b8b202f0e7e12dd98320074a661e17a53eb892e70
Instruction ID: 3c2be01ba74565a13f77760302587509a673a84c845a231054061c5ee258ab13
Opcode Fuzzy Hash: d5065f7d2170ef2bb8648c8b8b202f0e7e12dd98320074a661e17a53eb892e70
Instruction Fuzzy Hash: 33113C75E05228BBDB208F999C45FAFBBBCFB45B50F108115FD04E7294D6705A058BA1

Function 00851663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0085168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008516A1
FreeSid.ADVAPI32(?), ref: 008516B1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d3e2bbc6fab3aa05c0c6e8384e16f6c4a17ee56fc3ea35fc37d65ed87889c561
Instruction ID: 16e9bd8efd5483516b32e922f0cfbf7f73c04eb1088f3b87309911934795ee7d
Opcode Fuzzy Hash: d3e2bbc6fab3aa05c0c6e8384e16f6c4a17ee56fc3ea35fc37d65ed87889c561
Instruction Fuzzy Hash: 6BF0F475950309FBDF00DFE49C89EAEBBBCFB08645F504565E901E2181E774AA449B60

Function 0082C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0082C36C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 95268d91dd62c8c567297fdacc9246e200a2f9be8b304952ab8d424c94abbb7f
Instruction ID: 76a900ab7afe08c1a6f1ca15d2f2a6c9fca63e2b0b9cd80b7508f1c84f13fd6b
Opcode Fuzzy Hash: 95268d91dd62c8c567297fdacc9246e200a2f9be8b304952ab8d424c94abbb7f
Instruction Fuzzy Hash: 47411576900229ABCB20EFB9EC49EBF77B8FB84354F104669F905D7280E6709D818B50

Function 0084D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0084D28C

Strings

X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7674ac8fbe4066663e75686acca58f2680f9acd1253dc0ac378a78c7db354fc0
Instruction ID: 506989ed0a10c8fa0ca3c8d2df8682cb0dd9f822d388b6bc5eccb827271143a3
Opcode Fuzzy Hash: 7674ac8fbe4066663e75686acca58f2680f9acd1253dc0ac378a78c7db354fc0
Instruction Fuzzy Hash: 71D0CAB580122DEBCB90CBA0EC88DDAB3BCFB14349F100292F10AE2140DB70A6488F20

Function 0081CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d7909ed6b900624728f3d56629a870ef659c35cab81992db92fd09a2cfdf7f8e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 57021B71E402199BDF14CFA9D8806EDBBF5FF88324F25816AD819E7380D731AE418B94

Function 008668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00866918
FindClose.KERNEL32(00000000), ref: 00866961

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8b346f09b229552b8cc977085a66d8af3eadbb01a92fadef011409f669a48aa4
Instruction ID: b818da48afdb076880d6d8a88e3d67ade6aec83a96b122cea4b2ee14a72b3961
Opcode Fuzzy Hash: 8b346f09b229552b8cc977085a66d8af3eadbb01a92fadef011409f669a48aa4
Instruction Fuzzy Hash: F411D0316042459FC710CF29C488A26BBE4FF84328F05C699E8698F3A2D734EC05CB90

Function 008637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00874891,?,?,00000035,?), ref: 008637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00874891,?,?,00000035,?), ref: 008637F4

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5f7b4833af870cf626b69f3c9712a8c69c81d14ab7130acc061d08613f57344d
Instruction ID: 1da936b32dea2882aeb87c908a88b308f7f5125bfa9ef98b0cf2cf01bb55ccca
Opcode Fuzzy Hash: 5f7b4833af870cf626b69f3c9712a8c69c81d14ab7130acc061d08613f57344d
Instruction Fuzzy Hash: B7F0E5B06042296AEB20177A9C4DFEB3AAEFFC4761F000175F609D2285DA709904C7B0

Function 008510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008511FC), ref: 008510D4
CloseHandle.KERNEL32(?,?,008511FC), ref: 008510E9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: debdc124d6ee20998de81322497c123aca1016790275bb76e4c620fc465c2d6b
Instruction ID: e4c3e4281e76dfebae32d6fb683fbdad020523c739ad886b70af14308aba4693
Opcode Fuzzy Hash: debdc124d6ee20998de81322497c123aca1016790275bb76e4c620fc465c2d6b
Instruction Fuzzy Hash: 94E04F32004601AEE7652B65FC09E7377A9FB04310B20C82DF9A5C04F5DB72AC90DB60

Function 0082676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00826766,?,?,00000008,?,?,0082FEFE,00000000), ref: 00826998

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b88e8102a1af1bcc7ee44a7a1303ba6fb61eab6b315c2aca601a4d1fc5f8f54a
Instruction ID: 7ea28696cc98426d61a6fb8a3b1758720ef94262b46faf07baa4712aa96306b9
Opcode Fuzzy Hash: b88e8102a1af1bcc7ee44a7a1303ba6fb61eab6b315c2aca601a4d1fc5f8f54a
Instruction Fuzzy Hash: 6CB16D31610618DFD719CF28D486B657BE0FF05368F298658E89ACF2A2D735E9E1CB40

Function 0080B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0084851F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5dcbe7907ee01127703096386269039d20c7747f05c073388aa74fbd3f4966b2
Instruction ID: a112881dfa6fb840f4cde69eed5fd4e048a208a0779c137ef22254b2aed9431c
Opcode Fuzzy Hash: 5dcbe7907ee01127703096386269039d20c7747f05c073388aa74fbd3f4966b2
Instruction Fuzzy Hash: 58125F71900629DFDB64CF58C8806AEB7F5FF48710F1481AAE849EB295DB349E81CF94

Function 0086EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0086EABD

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 51a1641f50e300ead0d10c100a3175f6f3ce8f8e1ddb5369d4c549f3ba41cce3
Instruction ID: d5244fa36abab38c87a151ae3cafbad167246ae132e358e10c2e8d0538168d2e
Opcode Fuzzy Hash: 51a1641f50e300ead0d10c100a3175f6f3ce8f8e1ddb5369d4c549f3ba41cce3
Instruction Fuzzy Hash: 57E012352002189FC710DF59D444D5AF7D9FF68760F018416FD45C7351D674A8408B90

Function 008109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008103EE), ref: 008109DA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b991ee5666c0bdc95ee1ca282afdf2f6992fac50857ecf14337560ff1410f7d3
Instruction ID: 694a38085c09b8400c2326d32a4809b8cce8eb8155cf7f0e9fecacee9f286ccc
Opcode Fuzzy Hash: b991ee5666c0bdc95ee1ca282afdf2f6992fac50857ecf14337560ff1410f7d3
Instruction Fuzzy Hash:

Function 0081781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0081798B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d0db9c67c81aa13c0475d3683155fb49b3316cbb4305effa239619ae951f8340
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D151386160C6495ADB384768885ABFE27BDFF12344F18052DE883D7282C619DECAD35A

Function 00826DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a747b032d76cfc3f090000640f5e462a7359030a0d427d7e2c024b06ba17fec2
Instruction ID: d1c80bce1abd552cee81c8b74b3127eba546c7e937e8407b19ca7a4c90664323
Opcode Fuzzy Hash: a747b032d76cfc3f090000640f5e462a7359030a0d427d7e2c024b06ba17fec2
Instruction Fuzzy Hash: 51322421D29F114DD723A635E962339A249FFB73C5F19D737E81AB59A6EB28C4C34100

Function 0080CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0b3680896128dacc7952bd4ea79e7c261dcae36a7dff66f7fe04f02230e181
Instruction ID: 4bb2ddeded6cc039d90acf32e33fb711e0e0e3c5cadd6d333bbcf52d5b3b62d1
Opcode Fuzzy Hash: af0b3680896128dacc7952bd4ea79e7c261dcae36a7dff66f7fe04f02230e181
Instruction Fuzzy Hash: A5324A31A0111D8BDFA8CF29C8D067D7BA9FB45318F29866AD45ADB2D2E334DD81DB40

Function 007F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3211c5fbf5a721a3a8d3ad71d9205216d5d637888a95350295e47d4440620df8
Instruction ID: 2693ddd5a5a05d3afdc147e6e038982a9250f098ceffc47b1ed2f67fa3ac3c53
Opcode Fuzzy Hash: 3211c5fbf5a721a3a8d3ad71d9205216d5d637888a95350295e47d4440620df8
Instruction Fuzzy Hash: AD2291B0A04609DFDF18CF68D881ABEB7B5FF44300F104529E916E7391EB39A955CB91

Function 007F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec001ece667652b9795a16ba3310351d24920e26b5ab02e1f213939881e31e9b
Instruction ID: 050bcd1b035981d88291f931a174eb5aa00a49c6e16754f522d3c7b02240c6a7
Opcode Fuzzy Hash: ec001ece667652b9795a16ba3310351d24920e26b5ab02e1f213939881e31e9b
Instruction Fuzzy Hash: 4602B5B0A00209EBDB14DF64D881AAEB7B5FF84300F118169E916DB3D1EB35AE51CBD1

Function 00829EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69025a55e379a67f346227bdc8003e919767c3f65cc5f4332961a7cc5c7430f6
Instruction ID: 9c8acd5b7d870fd509898b15b6ff5356091e6b2e26fe9b17b014e4404f855cae
Opcode Fuzzy Hash: 69025a55e379a67f346227bdc8003e919767c3f65cc5f4332961a7cc5c7430f6
Instruction Fuzzy Hash: 0CB12320D6AF505DC323A6399831336B65CBFBB6D5F95D31BFC2674E22EB2286835140

Function 00817A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e7c16cd456e192fb8d2ad3290ff76b9477edf7c7aed45071b4f45f613123a1
Instruction ID: 4409270a4c8702899e8fab14c5fc244465bce11e24ec62606b38cbee908c2b86
Opcode Fuzzy Hash: 47e7c16cd456e192fb8d2ad3290ff76b9477edf7c7aed45071b4f45f613123a1
Instruction Fuzzy Hash: 1661577120C71996DA349A2C8C96BFE23BCFF41764F24091EE982DB281DB119EC28356

Function 00817CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f917e80be10faf06bdfa390f364e1eca508511860d7b6c0ab1cbf16ba4ad8e75
Instruction ID: a040bcf5187c54150e42dd6bb46033b95fb8d63b910df97dc5f931d54c59ea50
Opcode Fuzzy Hash: f917e80be10faf06bdfa390f364e1eca508511860d7b6c0ab1cbf16ba4ad8e75
Instruction Fuzzy Hash: C761497160C70D97DE385A2C6856BFE23FCFF42B08F10095DE943DB285DA12ADC28256

Function 00862046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcfc44d90bf47c83a5beea70aa56f7455b50bb5ffc69ebad6035764dd4ab835
Instruction ID: c3933c768df8d696ac9503a4c92e18bf7647b8c62a29bfce8edc98e09335f981
Opcode Fuzzy Hash: 8dcfc44d90bf47c83a5beea70aa56f7455b50bb5ffc69ebad6035764dd4ab835
Instruction Fuzzy Hash: 6321A832620A158BD728CF79C812A7A73E5F764310F15866EE4A7C37D0DE35A944CB50

Function 00872ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00872B30
DeleteObject.GDI32(00000000), ref: 00872B43
DestroyWindow.USER32 ref: 00872B52
GetDesktopWindow.USER32 ref: 00872B6D
GetWindowRect.USER32(00000000), ref: 00872B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00872CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00872CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872CF8
GetClientRect.USER32(00000000,?), ref: 00872D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00872D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D80
GlobalLock.KERNEL32(00000000), ref: 00872D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D98
GlobalUnlock.KERNEL32(00000000), ref: 00872DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872DA8
GlobalFree.KERNEL32(00000000), ref: 00872DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0088FC38,00000000), ref: 00872DDB
GlobalFree.KERNEL32(00000000), ref: 00872DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00872E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00872E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0087303F

Strings

AutoIt v3, xrefs: 00872CF2
DISPLAY, xrefs: 00872EA2
, xrefs: 00872FC5
static, xrefs: 00872D3A, 00872E91

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ddfabccaf3e50f181f97959159b743d97f6d4fdbdddc3c48ded0c5cb957f5a3f
Instruction ID: d5ac606aec0fc35bdd24352c6b942b1009e2f2bb8d1e14199c7bc3f0a988bfbd
Opcode Fuzzy Hash: ddfabccaf3e50f181f97959159b743d97f6d4fdbdddc3c48ded0c5cb957f5a3f
Instruction Fuzzy Hash: 60025A71500209EFDB14DF68CC89EAE7BB9FB49714F048158F919AB2A5DB78ED01CB60

Function 008870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0088712F
GetSysColorBrush.USER32(0000000F), ref: 00887160
GetSysColor.USER32(0000000F), ref: 0088716C
SetBkColor.GDI32(?,000000FF), ref: 00887186
SelectObject.GDI32(?,?), ref: 00887195
InflateRect.USER32(?,000000FF,000000FF), ref: 008871C0
GetSysColor.USER32(00000010), ref: 008871C8
CreateSolidBrush.GDI32(00000000), ref: 008871CF
FrameRect.USER32(?,?,00000000), ref: 008871DE
DeleteObject.GDI32(00000000), ref: 008871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00887230
FillRect.USER32(?,?,?), ref: 00887262
GetWindowLongW.USER32(?,000000F0), ref: 00887284

Part of subcall function 008873E8: GetSysColor.USER32(00000012), ref: 00887421
Part of subcall function 008873E8: SetTextColor.GDI32(?,?), ref: 00887425
Part of subcall function 008873E8: GetSysColorBrush.USER32(0000000F), ref: 0088743B
Part of subcall function 008873E8: GetSysColor.USER32(0000000F), ref: 00887446
Part of subcall function 008873E8: GetSysColor.USER32(00000011), ref: 00887463
Part of subcall function 008873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00887471
Part of subcall function 008873E8: SelectObject.GDI32(?,00000000), ref: 00887482
Part of subcall function 008873E8: SetBkColor.GDI32(?,00000000), ref: 0088748B
Part of subcall function 008873E8: SelectObject.GDI32(?,?), ref: 00887498
Part of subcall function 008873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008874B7
Part of subcall function 008873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008874CE
Part of subcall function 008873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008874DB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6e9f0f7ef9d40869da016d9af270afbfcef167cdb43e34daef550aa0787ecdef
Instruction ID: 5e4b6b85c84120862719f0684178fd144a9d82bdd1ce9abae347d64fde69c473
Opcode Fuzzy Hash: 6e9f0f7ef9d40869da016d9af270afbfcef167cdb43e34daef550aa0787ecdef
Instruction Fuzzy Hash: 87A16F72008301AFDB11EF68DC48A5B7BB9FF89321F200A19F962D61E1D775E944DB62

Function 00872711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0087273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0087286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00872900
GetClientRect.USER32(00000000,?), ref: 0087290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00872955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00872964
GetStockObject.GDI32(00000011), ref: 00872974
SelectObject.GDI32(00000000,00000000), ref: 00872978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00872988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00872991
DeleteDC.GDI32(00000000), ref: 0087299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00872A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00872A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00872A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00872A77
GetStockObject.GDI32(00000011), ref: 00872A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00872A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00872A97

Strings

AutoIt v3, xrefs: 008728F8
DISPLAY, xrefs: 0087295A
msctls_progress32, xrefs: 00872A13
static, xrefs: 0087294F, 00872A71

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 818448f80789b16342796cc539cb3b67011c75abbde4aa7bedc1dc73ffae886a
Instruction ID: d4f12509511d5a690d44d4817d2f6bdccc10e61e169122c17352cb10d3846b63
Opcode Fuzzy Hash: 818448f80789b16342796cc539cb3b67011c75abbde4aa7bedc1dc73ffae886a
Instruction Fuzzy Hash: 29B14C71A00219AFEB14DF68DD89EAE7BB9FB09714F008114FA15E7691D778ED40CBA0

Function 00864ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00864AED
GetDriveTypeW.KERNEL32(?,0088CB68,?,\\.\,0088CC08), ref: 00864BCA
SetErrorMode.KERNEL32(00000000,0088CB68,?,\\.\,0088CC08), ref: 00864D36

Strings

SSD, xrefs: 00864C4A
SSA, xrefs: 00864CA6
RAMDisk, xrefs: 00864BF4
Virtual, xrefs: 00864CE5
ATAPI, xrefs: 00864C91
USB, xrefs: 00864CB4
SAS, xrefs: 00864CC9
Network, xrefs: 00864C02
\\.\, xrefs: 00864B3F
FileBackedVirtual, xrefs: 00864CEC
ATA, xrefs: 00864C98
CDROM, xrefs: 00864BFB
SATA, xrefs: 00864CD0
RAID, xrefs: 00864CBB
PhysicalDrive, xrefs: 00864B76
MMC, xrefs: 00864CDE
SCSI, xrefs: 00864C8A
Fibre, xrefs: 00864CAD
Removable, xrefs: 00864C10, 00864C15
Fixed, xrefs: 00864C09
iSCSI, xrefs: 00864CC2
1394, xrefs: 00864C9F
Unknown, xrefs: 00864BED, 00864C83

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4b4e0b2344d2ec5f05c74f2ad25050761bd2ed308eacdccb119ecb6c16eebf48
Instruction ID: 0b2ba2b56712e6d3a9550634e5caea82b7e4465d73cb40176b9761925913b4ee
Opcode Fuzzy Hash: 4b4e0b2344d2ec5f05c74f2ad25050761bd2ed308eacdccb119ecb6c16eebf48
Instruction Fuzzy Hash: 4561C17060120ADBCB04DF68CA829BD7BA0FF04344B295415F916EB391EB3EED55DB51

Function 008873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00887421
SetTextColor.GDI32(?,?), ref: 00887425
GetSysColorBrush.USER32(0000000F), ref: 0088743B
GetSysColor.USER32(0000000F), ref: 00887446
CreateSolidBrush.GDI32(?), ref: 0088744B
GetSysColor.USER32(00000011), ref: 00887463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00887471
SelectObject.GDI32(?,00000000), ref: 00887482
SetBkColor.GDI32(?,00000000), ref: 0088748B
SelectObject.GDI32(?,?), ref: 00887498
InflateRect.USER32(?,000000FF,000000FF), ref: 008874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0088752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00887554
InflateRect.USER32(?,000000FD,000000FD), ref: 00887572
DrawFocusRect.USER32(?,?), ref: 0088757D
GetSysColor.USER32(00000011), ref: 0088758E
SetTextColor.GDI32(?,00000000), ref: 00887596
DrawTextW.USER32(?,008870F5,000000FF,?,00000000), ref: 008875A8
SelectObject.GDI32(?,?), ref: 008875BF
DeleteObject.GDI32(?), ref: 008875CA
SelectObject.GDI32(?,?), ref: 008875D0
DeleteObject.GDI32(?), ref: 008875D5
SetTextColor.GDI32(?,?), ref: 008875DB
SetBkColor.GDI32(?,?), ref: 008875E5

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 27494846f17cdcfec5192e9ed4fb75c23af8cb4ddb3d24b531d56e2b0f0a7d97
Instruction ID: 632678cd269d36078e31d6359571dbc8d71aecc6b792ae7ed39a65e2291a2b98
Opcode Fuzzy Hash: 27494846f17cdcfec5192e9ed4fb75c23af8cb4ddb3d24b531d56e2b0f0a7d97
Instruction Fuzzy Hash: 16614D76900218AFDF11AFA8DC49EAE7FB9FB08320F214115F915EB2A1D7749940DBA0

Function 00880FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00881128
GetDesktopWindow.USER32 ref: 0088113D
GetWindowRect.USER32(00000000), ref: 00881144
GetWindowLongW.USER32(?,000000F0), ref: 00881199
DestroyWindow.USER32(?), ref: 008811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0088121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00881232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00881245
IsWindowVisible.USER32(00000000), ref: 008812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008812D0
GetWindowRect.USER32(00000000,?), ref: 008812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0088130E
GetMonitorInfoW.USER32(00000000,?), ref: 00881328
CopyRect.USER32(?,?), ref: 0088133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008813AA

Strings

tooltips_class32, xrefs: 008811E6
(, xrefs: 0088131B
0, xrefs: 008810D3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6138326d147e69fade8554020abd34227c75d869e7826af558f5b6e15069e42e
Instruction ID: c4ebd2c770326f1c4460b2c04c6d6339dcdc003fe24c21490e02c2586fc41c4e
Opcode Fuzzy Hash: 6138326d147e69fade8554020abd34227c75d869e7826af558f5b6e15069e42e
Instruction Fuzzy Hash: EFB14C71604341EFDB14DF68C888B6ABBE8FF84354F008918F999DB261DB75E845CB61

Function 00880241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008802E5
_wcslen.LIBCMT ref: 0088031F
_wcslen.LIBCMT ref: 00880389
_wcslen.LIBCMT ref: 008803F1
_wcslen.LIBCMT ref: 00880475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00880504

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

Part of subcall function 0085223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00852258
Part of subcall function 0085223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0085228A

Strings

SELECTINVERT, xrefs: 0088057E
GETITEMCOUNT, xrefs: 00880316, 00880337
GETTEXT, xrefs: 008803EC, 00880407
SELECTALL, xrefs: 00880515
GETSUBITEMCOUNT, xrefs: 00880384, 0088039F
DESELECT, xrefs: 0088059C
FINDITEM, xrefs: 00880627
SELECT, xrefs: 00880548
VIEWCHANGE, xrefs: 00880675
GETSELECTED, xrefs: 008805E1
ISSELECTED, xrefs: 008804DD
SELECTCLEAR, xrefs: 0088052D
GETSELECTEDCOUNT, xrefs: 00880470, 0088048B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1fa37b16600fe8b1f5c334a2f5bf9f7dc09389941858067ad8c7081101b1b432
Instruction ID: 4a54bb760bd6815387d5fd5d41c1c7c517c0caadae02dd9a0fff81d9667f17fa
Opcode Fuzzy Hash: 1fa37b16600fe8b1f5c334a2f5bf9f7dc09389941858067ad8c7081101b1b432
Instruction Fuzzy Hash: C1E19F312083058BC764EF28C55187AB7E6FF98318B14496CF996DB3A2DB34ED49CB52

Function 00808891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00808968
GetSystemMetrics.USER32(00000007), ref: 00808970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0080899B
GetSystemMetrics.USER32(00000008), ref: 008089A3
GetSystemMetrics.USER32(00000004), ref: 008089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00808A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00808A3C
GetClientRect.USER32(00000000,000000FF), ref: 00808A5A
GetStockObject.GDI32(00000011), ref: 00808A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00808A81

Part of subcall function 0080912D: GetCursorPos.USER32(?), ref: 00809141
Part of subcall function 0080912D: ScreenToClient.USER32(00000000,?), ref: 0080915E
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000001), ref: 00809183
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000002), ref: 0080919D

SetTimer.USER32(00000000,00000000,00000028,008090FC), ref: 00808AA8

Strings

AutoIt v3 GUI, xrefs: 00808A20

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d4ac0f3c3b65f3e41aeb26d94534e262452be4564ea37e1c36b86f744e1957b1
Instruction ID: 00249b60df1cd0b23df0687137c45b1e2f119c229943615c05d54ff66af000b5
Opcode Fuzzy Hash: d4ac0f3c3b65f3e41aeb26d94534e262452be4564ea37e1c36b86f744e1957b1
Instruction Fuzzy Hash: 5EB15871A0020ADFDF14DFA8DC99BAA7BB5FB49314F104229FA15E7291DB34E850CB61

Function 00850D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
Part of subcall function 008510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
Part of subcall function 008510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
Part of subcall function 008510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00850DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00850E29
GetLengthSid.ADVAPI32(?), ref: 00850E40
GetAce.ADVAPI32(?,00000000,?), ref: 00850E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00850E96
GetLengthSid.ADVAPI32(?), ref: 00850EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00850EB5
HeapAlloc.KERNEL32(00000000), ref: 00850EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00850EDD
CopySid.ADVAPI32(00000000), ref: 00850EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00850F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00850F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00850F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F6E
HeapFree.KERNEL32(00000000), ref: 00850F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F7E
HeapFree.KERNEL32(00000000), ref: 00850F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F8E
HeapFree.KERNEL32(00000000), ref: 00850F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00850FA1
HeapFree.KERNEL32(00000000), ref: 00850FA8

Part of subcall function 00851193: GetProcessHeap.KERNEL32(00000008,00850BB1,?,00000000,?,00850BB1,?), ref: 008511A1
Part of subcall function 00851193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00850BB1,?), ref: 008511A8
Part of subcall function 00851193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00850BB1,?), ref: 008511B7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e34f73f38b2524db304a9100207bfbe9c7acdd3e6df712d8dcda2df69e14c6a
Instruction ID: 92af19083ed2c101c0ebcc0945b33fa571cdb36ae85f09f7b615bbe157e75c24
Opcode Fuzzy Hash: 4e34f73f38b2524db304a9100207bfbe9c7acdd3e6df712d8dcda2df69e14c6a
Instruction Fuzzy Hash: D871597290020AABDF209FA8DC49FAEBBB8FF04342F144115F959E6195DB319A09CF70

Function 0087C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0088CC08,00000000,?,00000000,?,?), ref: 0087C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0087C5A4
_wcslen.LIBCMT ref: 0087C5F4
_wcslen.LIBCMT ref: 0087C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0087C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0087C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0087C84D
RegCloseKey.ADVAPI32(?), ref: 0087C881
RegCloseKey.ADVAPI32(00000000), ref: 0087C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0087C960

Strings

REG_DWORD, xrefs: 0087C804
REG_QWORD, xrefs: 0087C8C3
REG_EXPAND_SZ, xrefs: 0087C5CD
REG_SZ, xrefs: 0087C644
REG_BINARY, xrefs: 0087C913
REG_MULTI_SZ, xrefs: 0087C6F5

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 08f25ba207a54df445af357092bea83e5b02b6a47989125c61facaa97ea040b9
Instruction ID: 05add986b478e6d4c7e91333568f226d897782c5b7013f72ae1cfe8f89bf8b94
Opcode Fuzzy Hash: 08f25ba207a54df445af357092bea83e5b02b6a47989125c61facaa97ea040b9
Instruction Fuzzy Hash: 06126835604205DFC714DF18C885A2AB7E5FF88724F08885CF99A9B3A2DB35ED45CB86

Function 0088091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008809C6
_wcslen.LIBCMT ref: 00880A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00880A54
_wcslen.LIBCMT ref: 00880A8A
_wcslen.LIBCMT ref: 00880B06
_wcslen.LIBCMT ref: 00880B81

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

Part of subcall function 00852BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00852BFA

Strings

EXPAND, xrefs: 00880BF8
GETITEMCOUNT, xrefs: 00880C1E
GETTEXT, xrefs: 00880C97
SELECT, xrefs: 00880D11
GETSELECTED, xrefs: 00880C4E
GETTOTALCOUNT, xrefs: 008809F2, 00880A17
CHECK, xrefs: 00880A85, 00880AA0
UNCHECK, xrefs: 00880D3E
COLLAPSE, xrefs: 00880B01, 00880B1C
ISCHECKED, xrefs: 00880CE1
EXISTS, xrefs: 00880B7C, 00880B97

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 6fbb916befdb49d4ce138900944c951846ed0db20d72f093867bedf3dd9ec74d
Instruction ID: 1bbb04724feb404c640a96fb4ee4ddcd385883d8b9768654b6634f7d562afb3f
Opcode Fuzzy Hash: 6fbb916befdb49d4ce138900944c951846ed0db20d72f093867bedf3dd9ec74d
Instruction Fuzzy Hash: 31E179312083058FC754EF28C45096AB7E2FF98358B14895DF896DB3A2DB31ED49CB82

Function 0087C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
_wcslen.LIBCMT ref: 0087C9F1
_wcslen.LIBCMT ref: 0087CA68
_wcslen.LIBCMT ref: 0087CA9E
_wcslen.LIBCMT ref: 0087CAF9
_wcslen.LIBCMT ref: 0087CB2F
_wcslen.LIBCMT ref: 0087CB7F

Strings

HKCC, xrefs: 0087CBAC
HKLM, xrefs: 0087CA98, 0087CA9D
HKEY_USERS, xrefs: 0087CBDF
HKEY_CURRENT_USER, xrefs: 0087CBBD
HKU, xrefs: 0087CBF0
HKCU, xrefs: 0087CBCE
HKEY_CURRENT_CONFIG, xrefs: 0087CB79, 0087CB7E
HKCR, xrefs: 0087CB29, 0087CB2E
HKEY_CLASSES_ROOT, xrefs: 0087CAF3, 0087CAF8
HKEY_LOCAL_MACHINE, xrefs: 0087CA62, 0087CA67

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 22326f1fd537ec2cb608a9dd2cd2f10d08254e9c8763a92e729a7986c9d5355b
Instruction ID: fc5f009cef1c1a934fc248bc1d21d985597a5d62d16dec5414a52810d4a6a1a6
Opcode Fuzzy Hash: 22326f1fd537ec2cb608a9dd2cd2f10d08254e9c8763a92e729a7986c9d5355b
Instruction Fuzzy Hash: 1271E47260012A8BCB20DE7CCD415FE7395FFA1764B25812CF969E7389EA35CD8483A0

Function 0088833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088835A
_wcslen.LIBCMT ref: 0088836E
_wcslen.LIBCMT ref: 00888391
_wcslen.LIBCMT ref: 008883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00885BF2), ref: 0088844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00888487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00888501
FreeLibrary.KERNEL32(?), ref: 0088850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0088851D
DestroyIcon.USER32(?,?,?,?,?,00885BF2), ref: 0088852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00888549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00888555

Strings

.exe, xrefs: 00888388
.dll, xrefs: 008883AB
.icl, xrefs: 00888368

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e320620819f0a91d49e6efece2182dff3966b6af2db8e76150723bc7abab6772
Instruction ID: d3f77650564ea9edca94fd611f88ab162cd7928f3f1f5852280bafec83876b34
Opcode Fuzzy Hash: e320620819f0a91d49e6efece2182dff3966b6af2db8e76150723bc7abab6772
Instruction Fuzzy Hash: BE61DD72500219FAEB14EF68DC85BBE77A8FF08B20F504609F815E61D1DB74A990CBA0

Function 007F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 007F7873, 007F78C5
#OnAutoItStartRegister, xrefs: 007F7817
Unterminated group of comments, xrefs: 0083528C
#include-once, xrefs: 007F782F
', xrefs: 00835169
#requireadmin, xrefs: 007F77FF
#pragma compile, xrefs: 007F77D3
", xrefs: 00835153
#include, xrefs: 007F7847
#ce, xrefs: 007F78ED
#notrayicon, xrefs: 007F77E7
#comments-start, xrefs: 007F785F, 007F78B1
Bad directive syntax error, xrefs: 0083519A
#comments-end, xrefs: 007F78D9
Cannot parse #include, xrefs: 00835279

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 9fc28626f5269bb9afc61fe8c47b126f6eea58c2a6554138df7fd91bcc94e60a
Instruction ID: 1701ea869991dbc668054ad9f1716bc5faccd86ab153dfe0af74d7d4c76725fe
Opcode Fuzzy Hash: 9fc28626f5269bb9afc61fe8c47b126f6eea58c2a6554138df7fd91bcc94e60a
Instruction Fuzzy Hash: 8381D071604209ABDB24BF64CC46FBE77A9FF55340F044024FA05EA296EB78DA51C7E2

Function 00863E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00863EF8
_wcslen.LIBCMT ref: 00863F03
_wcslen.LIBCMT ref: 00863F5A
_wcslen.LIBCMT ref: 00863F98
GetDriveTypeW.KERNEL32(?), ref: 00863FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00864059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00864087

Strings

close, xrefs: 00863EFE, 00863F18
closed, xrefs: 00863F08, 00863F2D, 00863F46, 00863F7E, 00863F97
wait, xrefs: 00864044
type cdaudio alias cd wait, xrefs: 00864001
open , xrefs: 00863FE5
close cd wait, xrefs: 00864072
set cd door , xrefs: 00864028
open, xrefs: 00863F54, 00863F59

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 96eb0bfd613136df7724da7b8b2624850390497f1f3ef790026d002d6198cc7c
Instruction ID: b35e49097268b611200f37530d17e5a70614e75323d73057753cc07cddf22120
Opcode Fuzzy Hash: 96eb0bfd613136df7724da7b8b2624850390497f1f3ef790026d002d6198cc7c
Instruction Fuzzy Hash: 7271BD326042169FC310EF24C8809AABBE4FF94768F11492DFA95D7361EB35DD49CB52

Function 00855A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00855A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00855A40
SetWindowTextW.USER32(?,?), ref: 00855A57
GetDlgItem.USER32(?,000003EA), ref: 00855A6C
SetWindowTextW.USER32(00000000,?), ref: 00855A72
GetDlgItem.USER32(?,000003E9), ref: 00855A82
SetWindowTextW.USER32(00000000,?), ref: 00855A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00855AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00855AC3
GetWindowRect.USER32(?,?), ref: 00855ACC
_wcslen.LIBCMT ref: 00855B33
SetWindowTextW.USER32(?,?), ref: 00855B6F
GetDesktopWindow.USER32 ref: 00855B75
GetWindowRect.USER32(00000000), ref: 00855B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00855BD3
GetClientRect.USER32(?,?), ref: 00855BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00855C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00855C2F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 95615847b8280c2313ee8a00ebdc1d028294980b00cc70bcd1eeef1fc690e75b
Instruction ID: 68ce4129c04578e1c620ee79155fe23eddfe472b763c267dc62db8b9cae5a890
Opcode Fuzzy Hash: 95615847b8280c2313ee8a00ebdc1d028294980b00cc70bcd1eeef1fc690e75b
Instruction Fuzzy Hash: 35716F31900B09EFDB20DFA8CE99A6EBBF5FF48715F104528E542E25A0D775E948CB60

Function 0086FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0086FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0086FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0086FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0086FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0086FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0086FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0086FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0086FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0086FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0086FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0086FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0086FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0086FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0086FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0086FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0086FECC
GetCursorInfo.USER32(?), ref: 0086FEDC
GetLastError.KERNEL32 ref: 0086FF1E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 85e0f099f012e0d8be1a4a620b7f21bbff72c2d09f097f60663bdb86e1602b2f
Instruction ID: 38970586d509fd583b0450dbb7bd71b6165f4304d2efa9fa34249fa0a52af823
Opcode Fuzzy Hash: 85e0f099f012e0d8be1a4a620b7f21bbff72c2d09f097f60663bdb86e1602b2f
Instruction Fuzzy Hash: 7B4121B0D04319AADB10DFBA9C8986EBFE8FF04754B54452AE119E7281DB78E9018F91

Function 008100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008100C6

Part of subcall function 008100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008C070C,00000FA0,938FD52F,?,?,?,?,008323B3,000000FF), ref: 0081011C
Part of subcall function 008100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008323B3,000000FF), ref: 00810127
Part of subcall function 008100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008323B3,000000FF), ref: 00810138
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0081014E
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0081015C
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0081016A
Part of subcall function 008100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00810195
Part of subcall function 008100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008101A0

___scrt_fastfail.LIBCMT ref: 008100E7

Part of subcall function 008100A3: __onexit.LIBCMT ref: 008100A9

Strings

InitializeConditionVariable, xrefs: 00810148
WakeAllConditionVariable, xrefs: 00810162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00810122
kernel32.dll, xrefs: 00810133
SleepConditionVariableCS, xrefs: 00810154

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 75f8ef2bb439573b462002aff5ec5b262134a365001da9c8920bf02ff7c2a412
Instruction ID: d22b6e80d2f71ecdb8673055cde6c3072a40be21971f9f34bdd04bd294c38546
Opcode Fuzzy Hash: 75f8ef2bb439573b462002aff5ec5b262134a365001da9c8920bf02ff7c2a412
Instruction Fuzzy Hash: 8821D732644710EBD7106B68AC49FAA37E8FF05B51F104139FA11E6792DBB89C808FA1

Function 008530F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085318D
_wcslen.LIBCMT ref: 008531F8

Strings

CLASSNN, xrefs: 008531F3, 00853204
INSTANCE, xrefs: 00853453
CLASS, xrefs: 00853188, 008531A5
NAME, xrefs: 00853335, 00853346
REGEXPCLASS, xrefs: 00853255, 00853266
TEXT, xrefs: 0085347C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 50d510e7ea3224cb715bfa2795b296d885d6b016e768131212f0517327cf65ce
Instruction ID: c20cadc63d2a95cc861179d1c91bd2414789e98224259c44bc9f185d702b8bf2
Opcode Fuzzy Hash: 50d510e7ea3224cb715bfa2795b296d885d6b016e768131212f0517327cf65ce
Instruction Fuzzy Hash: 99E1E532A0051AABCB149FB8C4517EDBBB4FF54791F648129E956E7340EB30AE8D8790

Function 008644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0088CC08), ref: 00864527
_wcslen.LIBCMT ref: 0086453B
_wcslen.LIBCMT ref: 00864599
_wcslen.LIBCMT ref: 008645F4
_wcslen.LIBCMT ref: 0086463F
_wcslen.LIBCMT ref: 008646A7

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

GetDriveTypeW.KERNEL32(?,008B6BF0,00000061), ref: 00864743

Strings

fixed, xrefs: 00864635, 0086463A
unknown, xrefs: 00864708
ramdisk, xrefs: 008646F1
removable, xrefs: 008645EA, 008645EF
all, xrefs: 00864531, 00864536
cdrom, xrefs: 0086458F, 00864594
network, xrefs: 0086469D, 008646A2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 662ccac8ee74c6be02916ee3b5066a4e2bfde981938a077d8c9946ab3bc12e01
Instruction ID: a50a530487bc69fdf459738df8a7f7bde2d9ca60132ee9125ddca941e9e3e88b
Opcode Fuzzy Hash: 662ccac8ee74c6be02916ee3b5066a4e2bfde981938a077d8c9946ab3bc12e01
Instruction Fuzzy Hash: D8B1FC716083029FC710DF28C890A6EB7E5FFA5724F11691DF696C7291EB34D848CAA2

Function 00873FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0088CC08), ref: 008740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0088CC08), ref: 008740F2
FreeLibrary.KERNEL32(00000000,?,0088CC08), ref: 0087413E
StringFromGUID2.OLE32(?,?,00000028,?,0088CC08), ref: 008741A8
SysFreeString.OLEAUT32(00000009), ref: 00874262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008742C8
SysFreeString.OLEAUT32(?), ref: 008742F2

Strings

GetModuleHandleExW, xrefs: 008740C7
kernel32.dll, xrefs: 008740B6

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 888ae5987ac13164f5376f8bd12436c928a1b8b1b98815d89f5f637bdfdc2f3f
Instruction ID: 2f0c75d504420ae025ca38e66f8a2abdc152c01e01d7978bf982d23dd204b02f
Opcode Fuzzy Hash: 888ae5987ac13164f5376f8bd12436c928a1b8b1b98815d89f5f637bdfdc2f3f
Instruction Fuzzy Hash: 72123975A00119EFDB14DF94C884EAEB7B9FF45318F248098E919DB265C731ED46CBA0

Function 007F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008C1990), ref: 00832F8D
GetMenuItemCount.USER32(008C1990), ref: 0083303D
GetCursorPos.USER32(?), ref: 00833081
SetForegroundWindow.USER32(00000000), ref: 0083308A
TrackPopupMenuEx.USER32(008C1990,00000000,?,00000000,00000000,00000000), ref: 0083309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008330A9

Strings

0, xrefs: 007F327D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 49088061818cc7c7fb4387cfab876f3706dc64b208ad89f6e9c27f4c1ae50b5d
Instruction ID: bf4dcc6f3a7eac5bfe632b907f9869d5a39a3e68f49cb4e84ce9e2cd438136c5
Opcode Fuzzy Hash: 49088061818cc7c7fb4387cfab876f3706dc64b208ad89f6e9c27f4c1ae50b5d
Instruction Fuzzy Hash: B4710A30640209BEEB359F68CC49FAABF64FF45364F204216F624E62E1C7B5AD14D791

Function 00886CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00886DEB

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00886E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00886E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00886E94
DestroyWindow.USER32(?), ref: 00886EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007F0000,00000000), ref: 00886EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00886EFD
GetDesktopWindow.USER32 ref: 00886F16
GetWindowRect.USER32(00000000), ref: 00886F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00886F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00886F4D

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

Strings

tooltips_class32, xrefs: 00886E58, 00886EDD
0, xrefs: 00886D98

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 60701d4a4bdbc255ba776b9c1e4a8855ff22f8e3b528f576952718d6e989335d
Instruction ID: 797d659183a1fdfe419d5eaefa97c1f2c2393484e174f206417b81022189d7aa
Opcode Fuzzy Hash: 60701d4a4bdbc255ba776b9c1e4a8855ff22f8e3b528f576952718d6e989335d
Instruction Fuzzy Hash: 27714874104244AFDB21DF18DC48EAABBF9FB99304F54041DFA99C7261EB70E919CB21

Function 0088911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DragQueryPoint.SHELL32(?,?), ref: 00889147

Part of subcall function 00887674: ClientToScreen.USER32(?,?), ref: 0088769A
Part of subcall function 00887674: GetWindowRect.USER32(?,?), ref: 00887710
Part of subcall function 00887674: PtInRect.USER32(?,?,00888B89), ref: 00887720

SendMessageW.USER32(?,000000B0,?,?), ref: 008891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00889225
SendMessageW.USER32(?,000000B0,?,?), ref: 0088923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00889255
SendMessageW.USER32(?,000000B1,?,?), ref: 00889277
DragFinish.SHELL32(?), ref: 0088927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00889371

Strings

@GUI_DRAGFILE, xrefs: 00889320
@GUI_DRAGID, xrefs: 008892E9
@GUI_DROPID, xrefs: 0088929E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 49e7f9597ec88848a3f1a1803dc78de8b1501ae51d7bd061e7cd0438402dc4d9
Instruction ID: bf66f1995840c894276ba000706dd435b1b28f61bd3b3b97fd5ead860324c73a
Opcode Fuzzy Hash: 49e7f9597ec88848a3f1a1803dc78de8b1501ae51d7bd061e7cd0438402dc4d9
Instruction Fuzzy Hash: B7615C71108305AFC701EF64DC89DAFBBE8FF89750F00092DF695922A1DB749A49CB62

Function 0086C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0086C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0086C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0086C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0086C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0086C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0086C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0086C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0086C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0086C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0086C5F0
InternetCloseHandle.WININET(00000000), ref: 0086C5FB

Strings

, xrefs: 0086C575

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f5b6234a3fc161c18c2a40e3723cc988cff5aabf8e66ae0b0b7ba98353f6471
Instruction ID: 09af9ed5b715f5a02cba93aff4fcf43f6c61e57d745797fbc0f4f778fff8d902
Opcode Fuzzy Hash: 4f5b6234a3fc161c18c2a40e3723cc988cff5aabf8e66ae0b0b7ba98353f6471
Instruction Fuzzy Hash: F8514AB1600609BFEB219F68CD88ABB7BBCFF08754F01441AF986D6650DB34E9449B61

Function 0088856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00888592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885BA
GlobalLock.KERNEL32(00000000), ref: 008885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885D7
GlobalUnlock.KERNEL32(00000000), ref: 008885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0088FC38,?), ref: 00888611
GlobalFree.KERNEL32(00000000), ref: 00888621
GetObjectW.GDI32(?,00000018,?), ref: 00888641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00888671
DeleteObject.GDI32(?), ref: 00888699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008886AF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 62e81f8f5e43605012989d1ce1d2a328c88f4af9ce59cccb015825d726ca99d2
Instruction ID: 519179057b505660408d2bc3fb20af46db8835d83514c587ea7369cf8d2fbea8
Opcode Fuzzy Hash: 62e81f8f5e43605012989d1ce1d2a328c88f4af9ce59cccb015825d726ca99d2
Instruction Fuzzy Hash: 6541FA75600208EFDB11DFA9DC88EAA7BB9FF99B15F104058F919E7261DB30A901DB60

Function 008614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00861502
VariantCopy.OLEAUT32(?,?), ref: 0086150B
VariantClear.OLEAUT32(?), ref: 00861517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00861657
VariantInit.OLEAUT32(?), ref: 00861708
SysFreeString.OLEAUT32(?), ref: 0086178C
VariantClear.OLEAUT32(?), ref: 008617D8
VariantClear.OLEAUT32(?), ref: 008617E7
VariantInit.OLEAUT32(00000000), ref: 00861823

Strings

Default, xrefs: 008616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00861625

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9633cebe75b96e011dd73c55966d6fbf36ce2f710b81ce091e637fd5e50370d4
Instruction ID: 455a19bc847a65e465a7e6404ad8e969171b4433b1b48960aebdb90f463db196
Opcode Fuzzy Hash: 9633cebe75b96e011dd73c55966d6fbf36ce2f710b81ce091e637fd5e50370d4
Instruction Fuzzy Hash: 48D1DE31A00219DBDF109F69D88DB79F7B5FF44704F1A8056E906EB686EB34E840DB62

Function 0087B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0087B80A
RegCloseKey.ADVAPI32(?), ref: 0087B87E
RegCloseKey.ADVAPI32(?), ref: 0087B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0087B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0087B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0087B922
FreeLibrary.KERNEL32(00000000), ref: 0087B983
RegCloseKey.ADVAPI32(00000000), ref: 0087B994

Strings

RegDeleteKeyExW, xrefs: 0087B8FE
advapi32.dll, xrefs: 0087B8ED

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b2f4a5d562e38ee04404c2c4390d3c53dc9e55aea7e98a80e12654aed7373d04
Instruction ID: 621b5a4ee0b0b03c43c93c2ee33d575bf05db70eab5e7896365b03aae7558491
Opcode Fuzzy Hash: b2f4a5d562e38ee04404c2c4390d3c53dc9e55aea7e98a80e12654aed7373d04
Instruction Fuzzy Hash: 05C16B31204205EFD714DF14C498B2ABBE6FF84358F14845CE6AA8B3A2CB75E845CB92

Function 0087255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008725E8
CreateCompatibleDC.GDI32(?), ref: 008725F4
SelectObject.GDI32(00000000,?), ref: 00872601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0087266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008726D0
SelectObject.GDI32(?,?), ref: 008726D8
DeleteObject.GDI32(?), ref: 008726E1
DeleteDC.GDI32(?), ref: 008726E8
ReleaseDC.USER32(00000000,?), ref: 008726F3

Strings

(, xrefs: 0087268D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 40438cb22bb284a3bd85ef863276afda72ea0a7f6b3da28a622412db24ba7054
Instruction ID: 0dbf23a0edde6148d71d084b20995b2a139edf8f8ec7ce9e284b7cf5273c1b3c
Opcode Fuzzy Hash: 40438cb22bb284a3bd85ef863276afda72ea0a7f6b3da28a622412db24ba7054
Instruction Fuzzy Hash: 9561D475D00219EFCF14CFA8D884AAEBBB5FF58310F20852AE559E7254E770A951CF60

Function 0082DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0082DAA1

Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D659
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D66B
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D67D
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D68F
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6A1
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6B3
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6C5
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6D7
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6E9
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6FB
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D70D
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D71F
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D731

_free.LIBCMT ref: 0082DA96

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082DAB8
_free.LIBCMT ref: 0082DACD
_free.LIBCMT ref: 0082DAD8
_free.LIBCMT ref: 0082DAFA
_free.LIBCMT ref: 0082DB0D
_free.LIBCMT ref: 0082DB1B
_free.LIBCMT ref: 0082DB26
_free.LIBCMT ref: 0082DB5E
_free.LIBCMT ref: 0082DB65
_free.LIBCMT ref: 0082DB82
_free.LIBCMT ref: 0082DB9A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c3a2132d90423058956dea07a0ea6474bd70c90b11b420f691b3eb8d16727011
Instruction ID: 4555ae4d8c9950e30cc680d4a709db19a1b42aba6d7f22aedbf8d55863b3bd49
Opcode Fuzzy Hash: c3a2132d90423058956dea07a0ea6474bd70c90b11b420f691b3eb8d16727011
Instruction Fuzzy Hash: 83314832604325AFEB21AB39F845F5ABFE9FF04321F554429E849D7191DA31ACC08B61

Function 0085365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0085369C
_wcslen.LIBCMT ref: 008536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00853797
GetClassNameW.USER32(?,?,00000400), ref: 0085380C
GetDlgCtrlID.USER32(?), ref: 0085385D
GetWindowRect.USER32(?,?), ref: 00853882
GetParent.USER32(?), ref: 008538A0
ScreenToClient.USER32(00000000), ref: 008538A7
GetClassNameW.USER32(?,?,00000100), ref: 00853921
GetWindowTextW.USER32(?,?,00000400), ref: 0085395D

Strings

%s%u, xrefs: 00853734

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: bdccf644d6c0e298cfbff148dfab5d80b86010267c3adfaeb66281673a08f711
Instruction ID: dba40fe37c0a91700412fb777a44c49d36ae9b3ab2ec80d876daf1f0fd09f751
Opcode Fuzzy Hash: bdccf644d6c0e298cfbff148dfab5d80b86010267c3adfaeb66281673a08f711
Instruction Fuzzy Hash: 8A91B5B1204606AFD719DF24C885BEAF7E8FF45391F004529FD99D2190EB30EA59CBA1

Function 00854954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00854994
GetWindowTextW.USER32(?,?,00000400), ref: 008549DA
_wcslen.LIBCMT ref: 008549EB
CharUpperBuffW.USER32(?,00000000), ref: 008549F7
_wcsstr.LIBVCRUNTIME ref: 00854A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00854A64
GetWindowTextW.USER32(?,?,00000400), ref: 00854A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00854AE6
GetClassNameW.USER32(?,?,00000400), ref: 00854B20
GetWindowRect.USER32(?,?), ref: 00854B8B

Strings

ThumbnailClass, xrefs: 00854A6F, 00854AF1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f415a4a60374996e1b0bd09c17647e50c4613efac41e8b8d53ec32174eb79584
Instruction ID: 91bd31442ceeee4f5c9025b6df68b110ce34b4e24b73ab7a8cc8cc9b0a9f01ab
Opcode Fuzzy Hash: f415a4a60374996e1b0bd09c17647e50c4613efac41e8b8d53ec32174eb79584
Instruction Fuzzy Hash: 3191F3710042059FDB04CF58C985FAA77E8FF8431AF049469FD85DA196EB34ED89CBA2

Function 00888D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00888D5A
GetFocus.USER32 ref: 00888D6A
GetDlgCtrlID.USER32(00000000), ref: 00888D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00888E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00888ECF
GetMenuItemCount.USER32(?), ref: 00888EEC
GetMenuItemID.USER32(?,00000000), ref: 00888EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00888F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00888F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00888FA1

Strings

0, xrefs: 00888E9F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 65f105563573424d2adc839b475d006bc63befbf524ba2fd8bf955588fff64b6
Instruction ID: 33ec80a12cb485466dbfcf78ae6a3e98ecf18ca8e97a8c8f5a41d424c8caeda3
Opcode Fuzzy Hash: 65f105563573424d2adc839b475d006bc63befbf524ba2fd8bf955588fff64b6
Instruction Fuzzy Hash: 30819F71508305DFDB10EF18D884AABBBE9FF88754F540929FA85D7292DB30D904CB62

Function 0085BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008C1990,000000FF,00000000,00000030), ref: 0085BFAC
SetMenuItemInfoW.USER32(008C1990,00000004,00000000,00000030), ref: 0085BFE1
Sleep.KERNEL32(000001F4), ref: 0085BFF3
GetMenuItemCount.USER32(?), ref: 0085C039
GetMenuItemID.USER32(?,00000000), ref: 0085C056
GetMenuItemID.USER32(?,-00000001), ref: 0085C082
GetMenuItemID.USER32(?,?), ref: 0085C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0085C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0085C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0085C145

Strings

0, xrefs: 0085BF3D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 621368792dad1d5b852ed8533738624e0bdc4fe32ecb3b84ad822d3bfe4f4b5e
Instruction ID: 1f7ea92cd1c3e6cac4ef8995d107b0ef3902d8bb7f3d2cc089ea4e6f9b1e283c
Opcode Fuzzy Hash: 621368792dad1d5b852ed8533738624e0bdc4fe32ecb3b84ad822d3bfe4f4b5e
Instruction Fuzzy Hash: 58615C7090074AAFDF11CF68D988AAEBBB9FB0534AF000055ED11E3292DB75AD48CF61

Function 0085DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0085DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0085DC46
_wcslen.LIBCMT ref: 0085DC50
_wcsstr.LIBVCRUNTIME ref: 0085DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0085DCBC

Strings

DefaultLangCodepage, xrefs: 0085DD1F
\VarFileInfo\Translation, xrefs: 0085DCB4
%u.%u.%u.%u, xrefs: 0085DD9A
StringFileInfo\, xrefs: 0085DC8F
04090000, xrefs: 0085DCF2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ac1c38b04d8d6ec68a8af040a18841144540264165a7446a94e4022ef5200baf
Instruction ID: c1af7b45767fa9b4225fd1d601f33177c4f806d651950ad65544daa0ddbb0ab3
Opcode Fuzzy Hash: ac1c38b04d8d6ec68a8af040a18841144540264165a7446a94e4022ef5200baf
Instruction Fuzzy Hash: DB41F3329403057BDB20A669DC07EFF776CFF45761F104069FE04E6292EA78AA4187B6

Function 0087CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0087CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0087CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0087CD48

Part of subcall function 0087CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0087CCAA
Part of subcall function 0087CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0087CCBD
Part of subcall function 0087CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0087CCCF
Part of subcall function 0087CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0087CD05
Part of subcall function 0087CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0087CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0087CCF3

Strings

RegDeleteKeyExW, xrefs: 0087CCC9
advapi32.dll, xrefs: 0087CCB8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 29c21ceda71371c1436a7f64c4ca72d92a692ffbcfe11e380341b2fbe7a1d41e
Instruction ID: 815e5ca60390422c65d868c37d5d11f59a2433d8e730de260ca1cb11b2bb9426
Opcode Fuzzy Hash: 29c21ceda71371c1436a7f64c4ca72d92a692ffbcfe11e380341b2fbe7a1d41e
Instruction Fuzzy Hash: 44318C71901128BBDB218B54DC88EFFBF7CFF45740F004169A90AE3258DA349E459BB0

Function 00863D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00863D40
_wcslen.LIBCMT ref: 00863D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00863D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00863DBE
RemoveDirectoryW.KERNEL32(?), ref: 00863DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00863E55
CloseHandle.KERNEL32(00000000), ref: 00863E60
CloseHandle.KERNEL32(00000000), ref: 00863E6B

Strings

\, xrefs: 00863D77
\??\%s, xrefs: 00863D5B
:, xrefs: 00863D82

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 5e98c4e6660e128f711c9964063d46efb5a4932f911955a3912945dae4901575
Instruction ID: 697e35362e488b2d5cee5ec129158a052a7909ec29fb43a374a94828791cffeb
Opcode Fuzzy Hash: 5e98c4e6660e128f711c9964063d46efb5a4932f911955a3912945dae4901575
Instruction Fuzzy Hash: 4E31AF72900209ABDB219BA4DC49FEF77BCFF88700F1140A5F619D61A4EB7497848B24

Function 0085E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0085E6B4

Part of subcall function 0080E551: timeGetTime.WINMM(?,?,0085E6D4), ref: 0080E555

Sleep.KERNEL32(0000000A), ref: 0085E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0085E705
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0085E727
SetActiveWindow.USER32 ref: 0085E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0085E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0085E773
Sleep.KERNEL32(000000FA), ref: 0085E77E
IsWindow.USER32 ref: 0085E78A
EndDialog.USER32(00000000), ref: 0085E79B

Strings

BUTTON, xrefs: 0085E719

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0851bee4333f2b3eec1b0018a80a504050f004c93dc2fef934edc9cddbf9a838
Instruction ID: f81961847d37e49383623b0346cc1fadb95ca10a1763ae813d49489d8b307897
Opcode Fuzzy Hash: 0851bee4333f2b3eec1b0018a80a504050f004c93dc2fef934edc9cddbf9a838
Instruction Fuzzy Hash: 1A2181B0200245AFEB159F68ECC9E263B79FB6538AF100425F855C12E5DF75AD08DB35

Function 0085E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0085EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0085EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0085EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0085EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0085EAA7

Strings

open , xrefs: 0085EA0C
play PlayMe, xrefs: 0085EAA2
close PlayMe, xrefs: 0085EA6E, 0085EA9B
status PlayMe mode, xrefs: 0085EA58
play PlayMe wait, xrefs: 0085EA91
alias PlayMe, xrefs: 0085EA36

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: edf20fef74283aad55c820381873bda29406920dd5e96a7b2f0a2d7799886169
Instruction ID: 700ca87edb254bff75cdff5589315739ed8404f136aef88c933566295fb2e757
Opcode Fuzzy Hash: edf20fef74283aad55c820381873bda29406920dd5e96a7b2f0a2d7799886169
Instruction Fuzzy Hash: BB114F31A5022DB9D725E7A5DC4AEFF6A7CFFD1B40F000429B911E22D1EAB81A59C5B0

Function 00859F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0085A012
SetKeyboardState.USER32(?), ref: 0085A07D
GetAsyncKeyState.USER32(000000A0), ref: 0085A09D
GetKeyState.USER32(000000A0), ref: 0085A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0085A0E3
GetKeyState.USER32(000000A1), ref: 0085A0F4
GetAsyncKeyState.USER32(00000011), ref: 0085A120
GetKeyState.USER32(00000011), ref: 0085A12E
GetAsyncKeyState.USER32(00000012), ref: 0085A157
GetKeyState.USER32(00000012), ref: 0085A165
GetAsyncKeyState.USER32(0000005B), ref: 0085A18E
GetKeyState.USER32(0000005B), ref: 0085A19C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: caa953b6bdc893d604d0c88b62b1694db35af10ab0cbbc3ca122bb26fdd7c3c1
Instruction ID: 519a4cc8785c52c7f8886b9ba9af85bc2a73770ff5bcef3b9c7925410b782f11
Opcode Fuzzy Hash: caa953b6bdc893d604d0c88b62b1694db35af10ab0cbbc3ca122bb26fdd7c3c1
Instruction Fuzzy Hash: C151D930544B8869FB39DB6484507EABFB5FF11381F084699DDC2D71C2DA649A4CC763

Function 00855CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00855CE2
GetWindowRect.USER32(00000000,?), ref: 00855CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00855D59
GetDlgItem.USER32(?,00000002), ref: 00855D69
GetWindowRect.USER32(00000000,?), ref: 00855D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00855DCF
GetDlgItem.USER32(?,000003E9), ref: 00855DDD
GetWindowRect.USER32(00000000,?), ref: 00855DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00855E31
GetDlgItem.USER32(?,000003EA), ref: 00855E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00855E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00855E67

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5e530749bb0202fb841718ff74cf2f1ff70076efe13c057ca20cd628aee1d532
Instruction ID: e61f3bb10832893ef3f76d49c77e1fba66d3ff661f8b9c07e92e1b09aeac6570
Opcode Fuzzy Hash: 5e530749bb0202fb841718ff74cf2f1ff70076efe13c057ca20cd628aee1d532
Instruction Fuzzy Hash: EA510C71A00609AFDF18CF68DD99AAEBBB5FF48301F548129F915E6294D770AE04CB60

Function 00808BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00808F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00808BE8,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 00808FC5

DestroyWindow.USER32(?), ref: 00808C81
KillTimer.USER32(00000000,?,?,?,?,00808BBA,00000000,?), ref: 00808D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00846973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 008469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 008469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000), ref: 008469D4
DeleteObject.GDI32(00000000), ref: 008469E6

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 850754cbe3bc335f478e94d64bf36f79cf90cb99c7db89c323240ce306429ac7
Instruction ID: 6355359e763cab7e1503273113c2d671d0f196337fbb30a936cf2a4e48429da6
Opcode Fuzzy Hash: 850754cbe3bc335f478e94d64bf36f79cf90cb99c7db89c323240ce306429ac7
Instruction Fuzzy Hash: B3619C30102A14DFEBA5DF28DD88B25BBF1FB52316F504518E082D7AA0CB71A9E4DF61

Function 00809838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

GetSysColor.USER32(0000000F), ref: 00809862

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 85dc4a3e42b334fc141dae3c6dae1e81437ff4faeaf18f1dc0a0ac2411fff945
Instruction ID: fd7734fbbaf4e5adca244c2b1895c2642719d71716adbac1d225be74e709a219
Opcode Fuzzy Hash: 85dc4a3e42b334fc141dae3c6dae1e81437ff4faeaf18f1dc0a0ac2411fff945
Instruction Fuzzy Hash: FD417E71104644AFDB205F389C88BB93BA5FB46320F148665E9E2CB2E7D7319841DB21

Function 008596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0083F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00859717
LoadStringW.USER32(00000000,?,0083F7F8,00000001), ref: 00859720

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0083F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00859742
LoadStringW.USER32(00000000,?,0083F7F8,00000001), ref: 00859745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00859866

Strings

^ ERROR, xrefs: 008597FB
Line %d (File "%s"):, xrefs: 0085978F
%s (%d) : ==> %s: %s %s, xrefs: 0085984A
Line %d:, xrefs: 008597A0
Error: , xrefs: 0085981D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6be17f24ee3bb1c42465d6bff2be204f90138392f40057f4fb543c87328a54a8
Instruction ID: e0793f5e7cca950dd2a583fc141ea5e9fba84c8625f12e77216cb0d61fabfab7
Opcode Fuzzy Hash: 6be17f24ee3bb1c42465d6bff2be204f90138392f40057f4fb543c87328a54a8
Instruction Fuzzy Hash: 16410B7280021DEACB05EBA4DD4AEFEB778FF14341F500065F605B2292EA396F48CB61

Function 008506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00850804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0085082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00850837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0085083C

Strings

\CLSID, xrefs: 00850724
\IPC$, xrefs: 00850784
SOFTWARE\Classes\, xrefs: 0085070E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e06ac24b410ccabf4b838ee1ad68c88c0f09d6a43daa7b4618d492189f9e5b38
Instruction ID: bc40b6d302870e109bae2bba1804d70ecac03bb233efe8c485aaffb660d17690
Opcode Fuzzy Hash: e06ac24b410ccabf4b838ee1ad68c88c0f09d6a43daa7b4618d492189f9e5b38
Instruction Fuzzy Hash: 7441E672C1022DEADF11EBA4DC89DEDB778FF08390B144129E915A2261EB745E04CBA0

Function 00883F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0088403B
CreateCompatibleDC.GDI32(00000000), ref: 00884042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00884055
SelectObject.GDI32(00000000,00000000), ref: 0088405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00884068
DeleteDC.GDI32(00000000), ref: 00884072
GetWindowLongW.USER32(?,000000EC), ref: 0088407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00884092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0088409E

Strings

static, xrefs: 00883FD3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 31e033f05afb8ee774c711828d4d42d208ffa7c11b36a7cefb9ff60e11fb191c
Instruction ID: abb475ff489b30f28edd779a177dda9a57074262817833e740750915c92dc2fc
Opcode Fuzzy Hash: 31e033f05afb8ee774c711828d4d42d208ffa7c11b36a7cefb9ff60e11fb191c
Instruction Fuzzy Hash: 3D315A32501219ABDF21AFA8DC49FDA3BA9FF0D724F110215FA15E61A0DB75D820DBA0

Function 00873C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00873C5C
CoInitialize.OLE32(00000000), ref: 00873C8A
CoUninitialize.OLE32 ref: 00873C94
_wcslen.LIBCMT ref: 00873D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00873DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00873ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00873F0E
CoGetObject.OLE32(?,00000000,0088FB98,?), ref: 00873F2D
SetErrorMode.KERNEL32(00000000), ref: 00873F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00873FC4
VariantClear.OLEAUT32(?), ref: 00873FD8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e7f24de1137e21dc77c89de3c93ae3812d72c3e67dc95c8fb19502f45bb897cc
Instruction ID: 38d42eac1dc35aa0f773cf09d18227dd650fbab871af3a7cd617485ce3a38a3c
Opcode Fuzzy Hash: e7f24de1137e21dc77c89de3c93ae3812d72c3e67dc95c8fb19502f45bb897cc
Instruction Fuzzy Hash: 05C13471608205AFC710DF68C88492BBBE9FF89748F10891DF98ADB211DB31EE05DB52

Function 00867A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00867AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00867B8F
SHGetDesktopFolder.SHELL32(?), ref: 00867BA3
CoCreateInstance.OLE32(0088FD08,00000000,00000001,008B6E6C,?), ref: 00867BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00867C74
CoTaskMemFree.OLE32(?,?), ref: 00867CCC
SHBrowseForFolderW.SHELL32(?), ref: 00867D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00867D7A
CoTaskMemFree.OLE32(00000000), ref: 00867D81
CoTaskMemFree.OLE32(00000000), ref: 00867DD6
CoUninitialize.OLE32 ref: 00867DDC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 346c2b3efd39e43173a47db8db002d4bc1c6a0f8a1acd5199ee5708343cd96e5
Instruction ID: d63c2f141d16c26a434a50bc34dc2601ee6c9b6f18dbb2cf77b7a06f1b3f11b4
Opcode Fuzzy Hash: 346c2b3efd39e43173a47db8db002d4bc1c6a0f8a1acd5199ee5708343cd96e5
Instruction Fuzzy Hash: BCC11975A04109EFCB14DFA4C888DAEBBB9FF48318B1584A8E919DB361D734ED45CB90

Function 0088541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00885504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00885515
CharNextW.USER32(00000158), ref: 00885544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00885585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0088559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008855AC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 41ba55416e775d037b5186bf58fc4ff6a4b441ec3fb4ddb009727f3c30c8d434
Instruction ID: 3ae97a4d727f349c0ca5551e16950ec00bb742219e9d64e4dcf2a03522c6e181
Opcode Fuzzy Hash: 41ba55416e775d037b5186bf58fc4ff6a4b441ec3fb4ddb009727f3c30c8d434
Instruction Fuzzy Hash: D7618A74904608EBDF10EF94CC84AFE7BB9FF09725F108159F925EA2A1D7748A80DB61

Function 0084FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0084FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0084FB08
VariantInit.OLEAUT32(?), ref: 0084FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0084FB3A
VariantCopy.OLEAUT32(?,?), ref: 0084FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0084FBA1
VariantClear.OLEAUT32(?), ref: 0084FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0084FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0084FBCC
VariantClear.OLEAUT32(?), ref: 0084FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0084FBE9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5e4962cfc5a95f378150b9ad82656d940c5a28088300176e9058ad583d4a98da
Instruction ID: 5204eef062ffbe62850cec248fc8305c371fe1fd0028cfb65de2f9eb3eac1810
Opcode Fuzzy Hash: 5e4962cfc5a95f378150b9ad82656d940c5a28088300176e9058ad583d4a98da
Instruction Fuzzy Hash: 1B413E75A0021DDFCB00DF68D8589AEBBB9FF48354F008069E955E7262CB34A945CFA1

Function 00859C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00859CA1
GetAsyncKeyState.USER32(000000A0), ref: 00859D22
GetKeyState.USER32(000000A0), ref: 00859D3D
GetAsyncKeyState.USER32(000000A1), ref: 00859D57
GetKeyState.USER32(000000A1), ref: 00859D6C
GetAsyncKeyState.USER32(00000011), ref: 00859D84
GetKeyState.USER32(00000011), ref: 00859D96
GetAsyncKeyState.USER32(00000012), ref: 00859DAE
GetKeyState.USER32(00000012), ref: 00859DC0
GetAsyncKeyState.USER32(0000005B), ref: 00859DD8
GetKeyState.USER32(0000005B), ref: 00859DEA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b5b3893d2e990953ae3e05ef33ce4740a01f9f97b8d9520488fb069b195dc196
Instruction ID: 9708a4bad6af92d5727697def5915bfe372d65f99ffd1aab44707ae392e2a194
Opcode Fuzzy Hash: b5b3893d2e990953ae3e05ef33ce4740a01f9f97b8d9520488fb069b195dc196
Instruction Fuzzy Hash: E34195345047C9ADFF31966488143A5BEB0FF11346F08809ADEC6965C2EBA59DCCC7A2

Function 0087055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008705BC
inet_addr.WSOCK32(?), ref: 0087061C
gethostbyname.WSOCK32(?), ref: 00870628
IcmpCreateFile.IPHLPAPI ref: 00870636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008707B9
WSACleanup.WSOCK32 ref: 008707BF

Strings

Ping, xrefs: 00870676

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cb14b886348a7a8b5770c16252aee9d13d95bbd48a69881b00365ede987d8ebe
Instruction ID: e78a93c26d575334b97a884469ab3ce270175e02a73b33bc6d5b186ae2352d7e
Opcode Fuzzy Hash: cb14b886348a7a8b5770c16252aee9d13d95bbd48a69881b00365ede987d8ebe
Instruction Fuzzy Hash: 64915635608201DFD324DF19C888B2ABBE0FB88358F14C5A9E569DB6A6C735ED41CF91

Function 00878CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00878CF3

Part of subcall function 00858E54: _wcslen.LIBCMT ref: 00858E77

_wcslen.LIBCMT ref: 00878D4E
_wcslen.LIBCMT ref: 00878D9C
_wcslen.LIBCMT ref: 00878DDC
_wcslen.LIBCMT ref: 00878E6E

Strings

cdecl, xrefs: 00878D48, 00878D4D
none, xrefs: 00878E65, 00878E6A
stdcall, xrefs: 00878DD6, 00878DDB
winapi, xrefs: 00878D96, 00878D9B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 49413cd41dc4794ccfdde7ce80e91f80ea84e2c2cc5b59c3dfa7d5ed5a74f6e7
Instruction ID: a7383577b1d7500da3fa1ee4a1782ce1cff85b91eb743c93df9eb086dfcfab9d
Opcode Fuzzy Hash: 49413cd41dc4794ccfdde7ce80e91f80ea84e2c2cc5b59c3dfa7d5ed5a74f6e7
Instruction Fuzzy Hash: 4751A432A4451ADBCB24DF6CC9449BEB7A5FF64314B208229E529E73C8DB34DD40C790

Function 0087372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00873774
CoUninitialize.OLE32 ref: 0087377F
CoCreateInstance.OLE32(?,00000000,00000017,0088FB78,?), ref: 008737D9
IIDFromString.OLE32(?,?), ref: 0087384C
VariantInit.OLEAUT32(?), ref: 008738E4
VariantClear.OLEAUT32(?), ref: 00873936

Strings

Failed to create object, xrefs: 008737E4, 0087389A
NULL Pointer assignment, xrefs: 0087381E
Invalid parameter, xrefs: 00873865

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0d5c6f270fcdefc9679ac487421f04cd42cf68ba6945e68f4e9c98bc24be6f7f
Instruction ID: 85ca79cea70356bba95e472ca29e21833925b3c885bf3a88b685d6a28d7ed2b7
Opcode Fuzzy Hash: 0d5c6f270fcdefc9679ac487421f04cd42cf68ba6945e68f4e9c98bc24be6f7f
Instruction Fuzzy Hash: 6F617A70608301AFD310DF58C889B6ABBE4FF49754F108829F999DB295D770EA48DB93

Function 00863388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008633CF

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008633F0

Strings

Incorrect parameters to object property !, xrefs: 008634AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00863504
Line %d (File "%s"):, xrefs: 00863443, 0086345C
^ ERROR , xrefs: 0086349E
"%s" (%d) : ==> %s:, xrefs: 00863522
Error: , xrefs: 008634D1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 51611dec0ca34315e8f6d5f3bda44a0aa8619cbfc322939056d3c4c1f7a993a5
Instruction ID: b1b193cb98d2ea803e2af0e8816532a2d627353336562541ea6748d7521996a6
Opcode Fuzzy Hash: 51611dec0ca34315e8f6d5f3bda44a0aa8619cbfc322939056d3c4c1f7a993a5
Instruction Fuzzy Hash: D0515B71900219EADF15EBA4CD4AEEEB778FF14344F104065F605B2292EB396F58CB61

Function 0085B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0085B5FC
_wcslen.LIBCMT ref: 0085B608
_wcslen.LIBCMT ref: 0085B64D
_wcslen.LIBCMT ref: 0085B68C
_wcslen.LIBCMT ref: 0085B6C7

Strings

APPEND, xrefs: 0085B6C1, 0085B6C6
REMOVE, xrefs: 0085B602, 0085B607
KEYS, xrefs: 0085B647, 0085B64C
EXISTS, xrefs: 0085B686, 0085B68B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e5beb502215acb9770c48057e482fb1850bf089466501d5ce6ef4fc752c34a43
Instruction ID: 267e6dc664c03426b88740e2c38c23c517bc3f01e5776e7b982dde2f0838572b
Opcode Fuzzy Hash: e5beb502215acb9770c48057e482fb1850bf089466501d5ce6ef4fc752c34a43
Instruction Fuzzy Hash: C741A532A001269BCB205F7D88915BEBBE5FF70755B244229ED25D7284F735CD89C790

Function 00865393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00865416
GetLastError.KERNEL32 ref: 00865420
SetErrorMode.KERNEL32(00000000,READY), ref: 008654A7

Strings

READY, xrefs: 00865460, 00865468
NOTREADY, xrefs: 0086544B
UNKNOWN, xrefs: 00865444
READONLY, xrefs: 00865452
INVALID, xrefs: 00865459

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a991a2b238a0b81a1565596b164aefc4d850541ad5f3608a8371c211db98bcad
Instruction ID: 79f4d683aafc484c6a9a75fd76ec16e2f6477c7800a911ee377eb16e22ac97fb
Opcode Fuzzy Hash: a991a2b238a0b81a1565596b164aefc4d850541ad5f3608a8371c211db98bcad
Instruction Fuzzy Hash: E431B2B5A00608DFC710DF68C489EAABBB4FF04305F1580A5E505DB392EB75DD86CBA0

Function 00883C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00883C79
SetMenu.USER32(?,00000000), ref: 00883C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00883D10
IsMenu.USER32(?), ref: 00883D24
CreatePopupMenu.USER32 ref: 00883D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00883D5B
DrawMenuBar.USER32 ref: 00883D63

Strings

0, xrefs: 00883C54
F, xrefs: 00883D4E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b653c6d6b1cb9b1bb8e5a0462273ce0183aa49e67a1950d074848735da4e55fa
Instruction ID: 0aff694d520c0090c4cf5559822a63d6a6fb972037295978471378ed3e7c630b
Opcode Fuzzy Hash: b653c6d6b1cb9b1bb8e5a0462273ce0183aa49e67a1950d074848735da4e55fa
Instruction Fuzzy Hash: C2414875A01209EFDF14DF64E884EAABBB5FF49750F144029E946E7360D730AA10CBA4

Function 00851EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00851F64
GetDlgCtrlID.USER32 ref: 00851F6F
GetParent.USER32 ref: 00851F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00851F8E
GetDlgCtrlID.USER32(?), ref: 00851F97
GetParent.USER32(?), ref: 00851FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00851FAE

Strings

ComboBox, xrefs: 00851EEC
ListBox, xrefs: 00851F21

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ebc8cbdb8d2904e379d8ad701c8d2712d4d99b373bcb41fc9e5a8b853e7e90da
Instruction ID: dca82d23e107e58a8f829f59fb399f19db14dda1a9c63615b810f29d2557976f
Opcode Fuzzy Hash: ebc8cbdb8d2904e379d8ad701c8d2712d4d99b373bcb41fc9e5a8b853e7e90da
Instruction Fuzzy Hash: 6621B370A00118BBCF04EFA4DC49AFEBBB4FF15350B000119FA61A7291DB395908DB70

Function 00851FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00852043
GetDlgCtrlID.USER32 ref: 0085204E
GetParent.USER32 ref: 0085206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0085206D
GetDlgCtrlID.USER32(?), ref: 00852076
GetParent.USER32(?), ref: 0085208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0085208D

Strings

ComboBox, xrefs: 00851FCD
ListBox, xrefs: 00852002

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 513c6ccc9e7d0d0be3bba67925d8cfc1814f457327497cb72e4773cea5edb1db
Instruction ID: ea11497196d72ceef89e06c29c84bb9b987859941963f2ea861b66bab3d7562d
Opcode Fuzzy Hash: 513c6ccc9e7d0d0be3bba67925d8cfc1814f457327497cb72e4773cea5edb1db
Instruction Fuzzy Hash: 76218E75900218BBCF10AFA4DC89AFEBBB9FF15340F004015BA51A72A5DA795918DB70

Function 00883A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00883A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00883AA0
GetWindowLongW.USER32(?,000000F0), ref: 00883AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00883AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00883B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00883BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00883BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00883BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00883BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00883C13

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1f0f1a98951297173389ae10f9183a1ba7887e64292247d485f64a0eade6b64f
Instruction ID: 93feda79609e9977004dc6f59acdb698865646644f262b39c1b4b63b919c6b7d
Opcode Fuzzy Hash: 1f0f1a98951297173389ae10f9183a1ba7887e64292247d485f64a0eade6b64f
Instruction Fuzzy Hash: 476159B5900248AFDB11EFA8CC85EEE77B8FB09710F100199FA15E72A2D774AA45DB50

Function 00822C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00822C94

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 00822CA0
_free.LIBCMT ref: 00822CAB
_free.LIBCMT ref: 00822CB6
_free.LIBCMT ref: 00822CC1
_free.LIBCMT ref: 00822CCC
_free.LIBCMT ref: 00822CD7
_free.LIBCMT ref: 00822CE2
_free.LIBCMT ref: 00822CED
_free.LIBCMT ref: 00822CFB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f212acaa66eddc7ee2f978f1618bfbbfe0e7f35f8d5266334e5afad641c8bd6c
Instruction ID: b5a43db8e355ac3ed8652f1b4182ffc1b79fef17cc8c06494f31903d63f20288
Opcode Fuzzy Hash: f212acaa66eddc7ee2f978f1618bfbbfe0e7f35f8d5266334e5afad641c8bd6c
Instruction Fuzzy Hash: D2116676500118BFCB02EF98E942DDD3FA5FF09350F9145A5FA489B222D631EAD09B91

Function 00867DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00867FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00867FC1
GetFileAttributesW.KERNEL32(?), ref: 00867FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00868005
SetCurrentDirectoryW.KERNEL32(?), ref: 00868017
SetCurrentDirectoryW.KERNEL32(?), ref: 00868060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008680B0

Strings

*.*, xrefs: 00868066

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9e9340b8b20e89b8a89833f6e953440e8dcc7df691fb483ae041193cb61085cf
Instruction ID: 8980fa732cc974728d14ea8714f93af2b010abb5e6ec3153cb3d351be181d47b
Opcode Fuzzy Hash: 9e9340b8b20e89b8a89833f6e953440e8dcc7df691fb483ae041193cb61085cf
Instruction Fuzzy Hash: A581AF72508245DBCB20EF54C8449AAB3E8FF88718F154D6AF989C7250EB36DD49CB92

Function 007F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007F5C7A

Part of subcall function 007F5D0A: GetClientRect.USER32(?,?), ref: 007F5D30
Part of subcall function 007F5D0A: GetWindowRect.USER32(?,?), ref: 007F5D71
Part of subcall function 007F5D0A: ScreenToClient.USER32(?,?), ref: 007F5D99

GetDC.USER32 ref: 008346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00834708
SelectObject.GDI32(00000000,00000000), ref: 00834716
SelectObject.GDI32(00000000,00000000), ref: 0083472B
ReleaseDC.USER32(?,00000000), ref: 00834733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008347C4

Strings

U, xrefs: 00834693

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7377d8a9406ca845e6ae7c79a58743b97251caca150128e969296b332ab36a30
Instruction ID: d1a4e1530457f5abba82671c093ea4ea781fd30feb6ce50cecbbdc352f6869bd
Opcode Fuzzy Hash: 7377d8a9406ca845e6ae7c79a58743b97251caca150128e969296b332ab36a30
Instruction Fuzzy Hash: 23710331400209DFCF218F64C985ABA3BB1FF86314F141269EE529A266D334A841DFA0

Function 0086359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008635E4

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

LoadStringW.USER32(008C2390,?,00000FFF,?), ref: 0086360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00863724
^ ERROR, xrefs: 008636C9
Line %d (File "%s"):, xrefs: 0086366B
"%s" (%d) : ==> %s:, xrefs: 00863742
Error: , xrefs: 008636EF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6c7cfb8910f0ff20a80ea8a5db3eee97aa6be12e90726df6506ea0672e756eb7
Instruction ID: 0285696a76ae723a06d41427977fc1cd670ad7d1e06d97105c3d16f295c1f0cb
Opcode Fuzzy Hash: 6c7cfb8910f0ff20a80ea8a5db3eee97aa6be12e90726df6506ea0672e756eb7
Instruction Fuzzy Hash: C9516C7180021DEADF15EBA4DC46EEEBB78FF14340F144125F605B22A2EB381A98DB61

Function 00888B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

Part of subcall function 0080912D: GetCursorPos.USER32(?), ref: 00809141
Part of subcall function 0080912D: ScreenToClient.USER32(00000000,?), ref: 0080915E
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000001), ref: 00809183
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000002), ref: 0080919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00888B6B
ImageList_EndDrag.COMCTL32 ref: 00888B71
ReleaseCapture.USER32 ref: 00888B77
SetWindowTextW.USER32(?,00000000), ref: 00888C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00888C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00888CFF

Strings

@GUI_DRAGFILE, xrefs: 00888C9A
@GUI_DROPID, xrefs: 00888C51

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d3f213a9270d65771df316b5916d719f636fc68546e6d220dc87ded5ff4a1745
Instruction ID: 46d3c9e78f248fae1e15c47444d5792fe405757aa926b514768ee0f7a3b4228c
Opcode Fuzzy Hash: d3f213a9270d65771df316b5916d719f636fc68546e6d220dc87ded5ff4a1745
Instruction Fuzzy Hash: 70519E71104304AFDB00EF24DC99FAA77E5FB88754F40062DFA56972E2DB749908CB62

Function 0086C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0086C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0086C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0086C2CA
GetLastError.KERNEL32 ref: 0086C322
SetEvent.KERNEL32(?), ref: 0086C336
InternetCloseHandle.WININET(00000000), ref: 0086C341

Strings

, xrefs: 0086C2BB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 46f737dc21e63ba7571b9ff801664f3b0c57c9f33349f09e889bac7c51acefe0
Instruction ID: b83cd2d100ac384b28af36f721416f01d3b5ce68217a205ec0b99840b0deab44
Opcode Fuzzy Hash: 46f737dc21e63ba7571b9ff801664f3b0c57c9f33349f09e889bac7c51acefe0
Instruction Fuzzy Hash: 533169B1600608AFD721AFA99988ABB7AFCFB49744F11851EF486D6301DB34DD049B71

Function 0085989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00833AAF,?,?,Bad directive syntax error,0088CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008598BC
LoadStringW.USER32(00000000,?,00833AAF,?), ref: 008598C3

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00859987

Strings

., xrefs: 0085996D
Line %d (File "%s"):, xrefs: 0085992D
Line %d:, xrefs: 00859912
Error: , xrefs: 00859955
%s (%d) : ==> %s.: %s %s, xrefs: 008598F1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2ec3781311770608c4fa406b7bdbdeedc779fcd63700d0e7f15874bd6e7dd621
Instruction ID: cbc658878ab02f6db21053dd665a587688a319df1323f8ff27017ba1941f5c09
Opcode Fuzzy Hash: 2ec3781311770608c4fa406b7bdbdeedc779fcd63700d0e7f15874bd6e7dd621
Instruction Fuzzy Hash: B8216F3180021EEBCF11EF94CC0AEEE7779FF18341F044465F615A12A2EA399628CB61

Function 0085209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0085214D

Strings

largeicons, xrefs: 008520E1
SHELLDLL_DefView, xrefs: 008520CC
details, xrefs: 008520FB
smallicons, xrefs: 00852115
list, xrefs: 0085212F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5223b2981102d6cdcbb86082281a65e0f1775580994cd22bcb583f2ef49eb260
Instruction ID: 7cc32e35978611f1c796e4d3350734dab802070562b6c472d2b0121905c769f9
Opcode Fuzzy Hash: 5223b2981102d6cdcbb86082281a65e0f1775580994cd22bcb583f2ef49eb260
Instruction Fuzzy Hash: 0911237A2C8B06B9FA056228AC06DE7379CFF16326B20002AFE04E41D1FE6578495A14

Function 00828D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91889852663cb6c06ba4b31504011c1de73c963c604996d9a730e49d40c74d03
Instruction ID: 8520d00e50f189ad887e7aff5e75576ea52483a7e18c251e188af4bfa7b1b40d
Opcode Fuzzy Hash: 91889852663cb6c06ba4b31504011c1de73c963c604996d9a730e49d40c74d03
Instruction Fuzzy Hash: 2AC1BDB5A0426DEFDF119FACE841BADBBB4FF09310F044099E955E7292CB309981CB61

Function 0082CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0082CEB7
_free.LIBCMT ref: 0082CF22
_free.LIBCMT ref: 0082CF48
_free.LIBCMT ref: 0082CF71
_free.LIBCMT ref: 0082CFA9
_free.LIBCMT ref: 0082CFDA
_free.LIBCMT ref: 0082D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0082D09C
_free.LIBCMT ref: 0082D0B5

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9661e16156e8a94b0831b05af4be75218b44c5a7dbb6d9ce299280b68b042a94
Instruction ID: c966200ed25b6342b2fcda6e8af55b9d11b76446821d5992432cbefaf2635f73
Opcode Fuzzy Hash: 9661e16156e8a94b0831b05af4be75218b44c5a7dbb6d9ce299280b68b042a94
Instruction Fuzzy Hash: 1C614771904324AFDB21AFB8BD81A7D7BA5FF05350F14026DF905D7282EBB199C18791

Function 008850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00885186
ShowWindow.USER32(?,00000000), ref: 008851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008851D1

Part of subcall function 00886FBA: DeleteObject.GDI32(00000000), ref: 00886FE6

GetWindowLongW.USER32(?,000000F0), ref: 0088520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0088521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0088524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00885287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00885296

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 2476cd550d0bfd8b20501f39aca6f3411b24e3ae46643b726e8752c2f86fe2a9
Instruction ID: 863bed9a173279fed0652e9b04ff79326c516e5590fc99eee5c4b3d36eeaf2a8
Opcode Fuzzy Hash: 2476cd550d0bfd8b20501f39aca6f3411b24e3ae46643b726e8752c2f86fe2a9
Instruction Fuzzy Hash: 7A51BE34A50A08FFEF20BF28CC4ABD87BA5FB05325F148012F625D62E1CB75A990DB51

Function 00808B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00846890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00808874,00000000,00000000,00000000,000000FF,00000000), ref: 00846901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0084691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00808874,00000000,00000000,00000000,000000FF,00000000), ref: 0084692D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4c14a95c5f103e5802648cd4a79d068deaa814d6655bb41a4c7096630e10bdc9
Instruction ID: 4ae028f521cad4cb000a0a13f6e40e85566e09c3cc12e54dcd64f6ce8dd36165
Opcode Fuzzy Hash: 4c14a95c5f103e5802648cd4a79d068deaa814d6655bb41a4c7096630e10bdc9
Instruction Fuzzy Hash: 7D513A70600209EFDB20CF28CC95FAA7BB5FB55764F104528F996D62E0EB70E990DB50

Function 0086C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0086C182
GetLastError.KERNEL32 ref: 0086C195
SetEvent.KERNEL32(?), ref: 0086C1A9

Part of subcall function 0086C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0086C272
Part of subcall function 0086C253: GetLastError.KERNEL32 ref: 0086C322
Part of subcall function 0086C253: SetEvent.KERNEL32(?), ref: 0086C336
Part of subcall function 0086C253: InternetCloseHandle.WININET(00000000), ref: 0086C341

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 44551cee5e1bed3757e557f231106ff491e5b8ee38a9e6b3757f8ea89ec9507c
Instruction ID: 1b5a669726356d989f65d36d23fe4475e92b27a95682885582f0b9e529c15618
Opcode Fuzzy Hash: 44551cee5e1bed3757e557f231106ff491e5b8ee38a9e6b3757f8ea89ec9507c
Instruction Fuzzy Hash: 0D318B71200605AFDB219FA9DC54A77BBF9FF18300B01842EF99AC2715DB31E8149BA0

Function 008525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00852601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00852605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0085260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00852623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00852627

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b426d32c2a1af4f8c2de8c0e35fb3704fde155b183e224b2fb59e7fcc3675f94
Instruction ID: b700fbebfc29654a883cb34c063d138a923bfadcebfeed662f75238b13e98b43
Opcode Fuzzy Hash: b426d32c2a1af4f8c2de8c0e35fb3704fde155b183e224b2fb59e7fcc3675f94
Instruction Fuzzy Hash: 3001B131290624BBFB10676C9C8EF593F59EB5AB52F100015F718AE0D9C9F228488A7A

Function 00851803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00851449,?,?,00000000), ref: 0085180C
HeapAlloc.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 00851813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00851449,?,?,00000000), ref: 00851828
GetCurrentProcess.KERNEL32(?,00000000,?,00851449,?,?,00000000), ref: 00851830
DuplicateHandle.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 00851833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00851449,?,?,00000000), ref: 00851843
GetCurrentProcess.KERNEL32(00851449,00000000,?,00851449,?,?,00000000), ref: 0085184B
DuplicateHandle.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 0085184E
CreateThread.KERNEL32(00000000,00000000,00851874,00000000,00000000,00000000), ref: 00851868

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0c16a24e45dddf616322d0f6113391ea79a87ad4fc5b97f01976afb0fca55608
Instruction ID: f6cc535b2c305e50a9bba41ac0d5ea21298130a2b47e55b5d81e5d829a168a78
Opcode Fuzzy Hash: 0c16a24e45dddf616322d0f6113391ea79a87ad4fc5b97f01976afb0fca55608
Instruction Fuzzy Hash: E801BF75240304BFE710ABA9DC8DF577B6CFB89B11F004411FA05DB295D675A804CB30

Function 0087A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0085D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0085D501
Part of subcall function 0085D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0085D50F
Part of subcall function 0085D4DC: CloseHandle.KERNEL32(00000000), ref: 0085D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087A16D
GetLastError.KERNEL32 ref: 0087A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0087A268
GetLastError.KERNEL32(00000000), ref: 0087A273
CloseHandle.KERNEL32(00000000), ref: 0087A2C4

Strings

SeDebugPrivilege, xrefs: 0087A18F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: eb2c5fcd6f1d2b68f81a9fa639a4ac4d80ad2f0517ef9d85e9cbe87c7a4351ed
Instruction ID: 9f33ffb9f84b9212088f650659a10b0d002b411617ed6034a1547c0b8445d561
Opcode Fuzzy Hash: eb2c5fcd6f1d2b68f81a9fa639a4ac4d80ad2f0517ef9d85e9cbe87c7a4351ed
Instruction Fuzzy Hash: 98616B312082429FD714DF18C498F29BBA1FF84318F58849CE46A8B7A7C776EC45CB92

Function 00883886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00883925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0088393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00883954
_wcslen.LIBCMT ref: 00883999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008839F4

Strings

SysListView32, xrefs: 008838F7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 6a1a4f68e09624e0e191a73a5cf1d9d06010c1d8184ad3a20bc38eb95ab8edbc
Instruction ID: 8220dde5c08fa69392a275952b5d5429a69251fa76564f61d8e69d48e95dd430
Opcode Fuzzy Hash: 6a1a4f68e09624e0e191a73a5cf1d9d06010c1d8184ad3a20bc38eb95ab8edbc
Instruction Fuzzy Hash: 4F41A471A00219ABDF21AF64CC49FEA7BA9FF08750F100526F958E7281D7759E84CB90

Function 0085BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0085BCFD
IsMenu.USER32(00000000), ref: 0085BD1D
CreatePopupMenu.USER32 ref: 0085BD53
GetMenuItemCount.USER32(0101C1C8), ref: 0085BDA4
InsertMenuItemW.USER32(0101C1C8,?,00000001,00000030), ref: 0085BDCC

Strings

0, xrefs: 0085BCA8
2, xrefs: 0085BD37

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: dd44edea29bee004ce2ad290e90b2fd3f1198e2f4bab0dbffe1ddaacdc2bc481
Instruction ID: 48e6acd2028792282b787ed450e9ebdce1363fd99259cbdac63a2b9ee43e53c1
Opcode Fuzzy Hash: dd44edea29bee004ce2ad290e90b2fd3f1198e2f4bab0dbffe1ddaacdc2bc481
Instruction Fuzzy Hash: 8E519C70A002099BDF10CFA8D888BAEBBF4FF65316F144159EC11D7291D7749948CB62

Function 0085C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0085C913

Strings

blank, xrefs: 0085C895
warning, xrefs: 0085C8FC
question, xrefs: 0085C8CC
info, xrefs: 0085C8B4
stop, xrefs: 0085C8E4

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 46ad28bcd92e3e17fead2e73cd109a0c056be55ed5af135006a292714acea74e
Instruction ID: ad99c7a929c4d78dd891e53379b0ebd7aef172892ba312cd60c046a2612dea48
Opcode Fuzzy Hash: 46ad28bcd92e3e17fead2e73cd109a0c056be55ed5af135006a292714acea74e
Instruction Fuzzy Hash: 2211303268930ABEE7005B149C83CEA6B9CFF15759B20003AFD04E53C2E7745D445669

Function 0085DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0085DE42
gethostname.WSOCK32(?,00000100), ref: 0085DE5C
gethostbyname.WSOCK32(?), ref: 0085DE69
inet_ntoa.WSOCK32(?), ref: 0085DEAB
_strcat.LIBCMT ref: 0085DEB9
WSACleanup.WSOCK32 ref: 0085DEDE

Strings

0.0.0.0, xrefs: 0085DE87

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5548c1266e9925ed3e2e58fba3c355f0ac400b86bf51d4ea27785b363f38c134
Instruction ID: 13042df2f3534482f2e664e7687b1543b7aae7a3db60da3c157299d7f8921a77
Opcode Fuzzy Hash: 5548c1266e9925ed3e2e58fba3c355f0ac400b86bf51d4ea27785b363f38c134
Instruction Fuzzy Hash: 0D110A31904219AFDB30BB68DC0BEDE77ACFF11712F000169F945EA0A1EF748A858B61

Function 00889F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

GetSystemMetrics.USER32(0000000F), ref: 00889FC7
GetSystemMetrics.USER32(0000000F), ref: 00889FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0088A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0088A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0088A263
ShowWindow.USER32(00000003,00000000), ref: 0088A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0088A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0088A2CA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 346386f34a03b464961527acf7985e31b7eae35dde0898a02144456de05f32ed
Instruction ID: d0342e10d2acc78af2c66c9d1fbfeb95e51dbd17e293b2cb24b5802272365e85
Opcode Fuzzy Hash: 346386f34a03b464961527acf7985e31b7eae35dde0898a02144456de05f32ed
Instruction Fuzzy Hash: 8BB17B35600219DFEF28DF68C989BAE7BB2FF44711F08806AEC45DB295D731A940CB61

Function 0085ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0085ED2A
_wcslen.LIBCMT ref: 0085ED3B
_wcslen.LIBCMT ref: 0085ED79
_wcslen.LIBCMT ref: 0085EDAF
_wcslen.LIBCMT ref: 0085EDDF
_wcslen.LIBCMT ref: 0085EDEF
_wcslen.LIBCMT ref: 0085EE2B
_wcslen.LIBCMT ref: 0085EE5A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8bbc77412f691de0a11a6bbaa8370c1a966c65d2139a3b1c1798eaaa838f2609
Instruction ID: 21fa03be186cdc7aedb692035b26164c2b6130f84715d6214ed1010540c92e48
Opcode Fuzzy Hash: 8bbc77412f691de0a11a6bbaa8370c1a966c65d2139a3b1c1798eaaa838f2609
Instruction Fuzzy Hash: 8F413F65C1021865CB11EBF88C8AACFB7ADFF45710F508566E918E3122FB34E795C3A6

Function 0080F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0080F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0084F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0084F454

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8ea8d0edc0a625c81165e442151f2556ae1d733cb2859ef7d010fd1e7a37d834
Instruction ID: 0a8c8d3d712c0b9c18ee91c23c461ccbf1619207b48c96372110ec7f23692910
Opcode Fuzzy Hash: 8ea8d0edc0a625c81165e442151f2556ae1d733cb2859ef7d010fd1e7a37d834
Instruction Fuzzy Hash: 6241E831608644BAD7B59B2D9C88B2A7E91FF96314F14C43DE347D2EB3D631A881CB11

Function 00882D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00882D1B
GetDC.USER32(00000000), ref: 00882D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00882D2E
ReleaseDC.USER32(00000000,00000000), ref: 00882D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00882D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00882D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00885A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00882DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00882DE1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0470ccb0179713b47f30ab248e37fbe26d8ca9106758687563354749a057f847
Instruction ID: af1988d46168bdc2d8ecfc346540b51a9d51768ed9dcaa2fbfc372d85b1ce5bd
Opcode Fuzzy Hash: 0470ccb0179713b47f30ab248e37fbe26d8ca9106758687563354749a057f847
Instruction Fuzzy Hash: CF318776201214BBEB219F688C8AFEB3FA9FF09751F044065FE08DA291D6759C40CBB0

Function 00855622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00855637
_memcmp.LIBVCRUNTIME ref: 00855659
_memcmp.LIBVCRUNTIME ref: 00855671
_memcmp.LIBVCRUNTIME ref: 00855684
_memcmp.LIBVCRUNTIME ref: 0085569E
_memcmp.LIBVCRUNTIME ref: 008556B1
_memcmp.LIBVCRUNTIME ref: 008556C9
_memcmp.LIBVCRUNTIME ref: 008556E4

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 72f7057513c4f73675090b1bc3d4b5114729443fcca60a85785112611ae504c1
Instruction ID: c5d84a91006c2bd1aa6e74ff322689279b4913640bde07fde9a5037a63e06baa
Opcode Fuzzy Hash: 72f7057513c4f73675090b1bc3d4b5114729443fcca60a85785112611ae504c1
Instruction Fuzzy Hash: C6212CA174091DB7D61465158DA2FFA339DFF30386F540020FF14DA742F728EE1886A6

Function 00874FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00875007
NULL Pointer assignment, xrefs: 0087502E, 00875383

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3ad9f3d408e496278c45aa0c8549d29539932af954ac7a4e6a2c6f00b4622b84
Instruction ID: 7ec2f3ea9d26f677c2b4a83b8dc34469800c6f10dd04509c806be35eef9b294d
Opcode Fuzzy Hash: 3ad9f3d408e496278c45aa0c8549d29539932af954ac7a4e6a2c6f00b4622b84
Instruction Fuzzy Hash: 14D18F71A0060A9FDB10CFA8C881BAEB7B5FF48344F14C469E919EB295E7B1DD45CB60

Function 00831522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00831651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008317FB,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008316FB

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00831777
__freea.LIBCMT ref: 008317A2
__freea.LIBCMT ref: 008317AE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d7ed867ced2baff4d93f5529ce9248e8fef8aaa1ddbc7d92adf32757099e6481
Instruction ID: 9f17cfc4b15f7045e2b4af24fe781a87cdf365916643e3f790b57403bc2d0473
Opcode Fuzzy Hash: d7ed867ced2baff4d93f5529ce9248e8fef8aaa1ddbc7d92adf32757099e6481
Instruction Fuzzy Hash: 25919271E0021A9ADF208FA4CC89AEE7BB5FF99B14F184659E801E7245DB35DC40CBE0

Function 00874523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00874648
VariantInit.OLEAUT32(?), ref: 00874749
VariantClear.OLEAUT32(?), ref: 00874753
VariantClear.OLEAUT32(?), ref: 008747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008745D8, 00874706, 008747BE
Incorrect Object type in FOR..IN loop, xrefs: 0087472C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0b1d170c7d06dd830a856ddf06d4c29d08ef6ee7f048df6d0bd4f21c4df4aceb
Instruction ID: 8625d2cf6c5eb74788235bf2d7f8d9b45f88c6a2a5be64a46f0a59eaf342ff74
Opcode Fuzzy Hash: 0b1d170c7d06dd830a856ddf06d4c29d08ef6ee7f048df6d0bd4f21c4df4aceb
Instruction Fuzzy Hash: E5919B31A00219ABDF24CFA4C888EAEBBB8FF46754F108559F519EB284D770D945CFA0

Function 00861187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0086125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00861284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0086135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00861430

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c93baf72d57db8eab002702886c7101f11903fb399c20284f865cfef8402c93d
Instruction ID: 4bc300355695b122f0ea879a4062f3e40162277d3e5cd54a2b8b246ff0eafe29
Opcode Fuzzy Hash: c93baf72d57db8eab002702886c7101f11903fb399c20284f865cfef8402c93d
Instruction Fuzzy Hash: 2F91E471A002099FDF00DFA8C899BBEB7B5FF45314F1A4029E901EB392DB74A941CB95

Function 0080948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27d3f5196477b1724f94cf009698cd03b275db89e21ced876f07f70fed5d7f3b
Instruction ID: e6b099646ad7a1b53fe9cb2948c15f83e218fe1610fb5cdbda9b297068c97672
Opcode Fuzzy Hash: 27d3f5196477b1724f94cf009698cd03b275db89e21ced876f07f70fed5d7f3b
Instruction Fuzzy Hash: 3F911371900219EFCB50CFA9CC84AEEBBB8FF49324F148559E555F7292D374AA42CB60

Function 00873947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0087396B
CharUpperBuffW.USER32(?,?), ref: 00873A7A
_wcslen.LIBCMT ref: 00873A8A
VariantClear.OLEAUT32(?), ref: 00873C1F

Part of subcall function 00860CDF: VariantInit.OLEAUT32(00000000), ref: 00860D1F
Part of subcall function 00860CDF: VariantCopy.OLEAUT32(?,?), ref: 00860D28
Part of subcall function 00860CDF: VariantClear.OLEAUT32(?), ref: 00860D34

Strings

Incorrect Parameter format, xrefs: 008739A6, 00873BA1
AUTOIT.ERROR, xrefs: 00873A80, 00873A85

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5c367c29ef92b435bd068658817026de8d803f2175f9f58c4bfb116bfb33a451
Instruction ID: 80d98775e9b121d1bd1425c85d76dd3b5e7b1cec787cef5c6d2c956ea0fffa9e
Opcode Fuzzy Hash: 5c367c29ef92b435bd068658817026de8d803f2175f9f58c4bfb116bfb33a451
Instruction Fuzzy Hash: 009133756083059FC704EF28C48596AB7E4FF89314F14882EF98ADB351DB31EA45DB92

Function 00874BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0085000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?,?,0085035E), ref: 0085002B
Part of subcall function 0085000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850046
Part of subcall function 0085000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850054
Part of subcall function 0085000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?), ref: 00850064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00874C51
_wcslen.LIBCMT ref: 00874D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00874DCF
CoTaskMemFree.OLE32(?), ref: 00874DDA

Strings

NULL Pointer assignment, xrefs: 00874E23, 00874E52

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: e319da1650646787939d4577b4c1d17fea2fbb56a8267d35b9a2c3e99346eb11
Instruction ID: a314f436bb399192db051c43398b030738e96a21ee80d94979e067b6f53f04f8
Opcode Fuzzy Hash: e319da1650646787939d4577b4c1d17fea2fbb56a8267d35b9a2c3e99346eb11
Instruction Fuzzy Hash: DD912471D0021DEBDF20DFA4C880AEEBBB8FF08314F108169E919A7255EB349A448F61

Function 008820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00882183
GetMenuItemCount.USER32(00000000), ref: 008821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008821DD
_wcslen.LIBCMT ref: 00882213
GetMenuItemID.USER32(?,?), ref: 0088224D
GetSubMenu.USER32(?,?), ref: 0088225B

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008822E3

Part of subcall function 0085E97B: Sleep.KERNELBASE ref: 0085E9F3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 25dbba697d677f7f0a37149a98a28e024c2761eaafecd58a1943bf6513ba61cd
Instruction ID: baed5f38afa83a5aecd91bde8183b6be7a0aa30fe754e6ae28389e083bdcd158
Opcode Fuzzy Hash: 25dbba697d677f7f0a37149a98a28e024c2761eaafecd58a1943bf6513ba61cd
Instruction Fuzzy Hash: 20717F75A00219EFCB14EF68C885AAEB7F5FF48310F148469E916EB355D734ED418BA0

Function 00887E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0101C1A0), ref: 00887F37
IsWindowEnabled.USER32(0101C1A0), ref: 00887F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0088801E
SendMessageW.USER32(0101C1A0,000000B0,?,?), ref: 00888051
IsDlgButtonChecked.USER32(?,?), ref: 00888089
GetWindowLongW.USER32(0101C1A0,000000EC), ref: 008880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008880C3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4e5d1480caceba674a71b172440eac432d0e19b8bf95015eca357bc14522848b
Instruction ID: 34ab3b850555742f0e8dbe4e65ee11dc5dbeaac299b748caf35e8393eb7ff1cf
Opcode Fuzzy Hash: 4e5d1480caceba674a71b172440eac432d0e19b8bf95015eca357bc14522848b
Instruction Fuzzy Hash: F1717A74608204EFEF21AF65C884FAABBB5FF1A300F644459EA55D72A1CF31E845DB20

Function 0085AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0085AEF9
GetKeyboardState.USER32(?), ref: 0085AF0E
SetKeyboardState.USER32(?), ref: 0085AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0085AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0085AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0085AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0085B020

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 31dedeb56837169bb720792f74fe3b0522fcc73327bd40322bdc2262c040dd7e
Instruction ID: 24440df34dab7a2bdf644837309bb38026b8bbb3616b64d36bc16a42dbb0930e
Opcode Fuzzy Hash: 31dedeb56837169bb720792f74fe3b0522fcc73327bd40322bdc2262c040dd7e
Instruction Fuzzy Hash: 2451E5A06047D53DFB368238CC45BBABEA9BB06306F088589E9D5D54C2D798ACCCD761

Function 0085ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0085AD19
GetKeyboardState.USER32(?), ref: 0085AD2E
SetKeyboardState.USER32(?), ref: 0085AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0085ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0085ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0085AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0085AE38

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5d40fd7765e3307d7a27406ec85592c7216a6b3c93f7669dd069d0688eb99858
Instruction ID: 299c405818b38f64051fc855854ea23e5ab46b4597980ded71b6ade6132ab1db
Opcode Fuzzy Hash: 5d40fd7765e3307d7a27406ec85592c7216a6b3c93f7669dd069d0688eb99858
Instruction Fuzzy Hash: 1F51F9A15047D53DFB3A93348CC6B7ABEA8FB05302F088648E5D5D68C2D294EC8CD762

Function 0082542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00833CD6,?,?,?,?,?,?,?,?,00825BA3,?,?,00833CD6,?,?), ref: 00825470
__fassign.LIBCMT ref: 008254EB
__fassign.LIBCMT ref: 00825506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00833CD6,00000005,00000000,00000000), ref: 0082552C
WriteFile.KERNEL32(?,00833CD6,00000000,00825BA3,00000000,?,?,?,?,?,?,?,?,?,00825BA3,?), ref: 0082554B
WriteFile.KERNEL32(?,?,00000001,00825BA3,00000000,?,?,?,?,?,?,?,?,?,00825BA3,?), ref: 00825584

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0c15c57fa3401a23cc8d843f9ed9421f55b48e912e3ca7e715a4d1be4cf071d0
Instruction ID: 3bd569fc1934167ba4bdc80526f355d6d24038f10a8d2594defcdd7df59d2039
Opcode Fuzzy Hash: 0c15c57fa3401a23cc8d843f9ed9421f55b48e912e3ca7e715a4d1be4cf071d0
Instruction Fuzzy Hash: 0E51D3B0A006199FDB10CFA8E995AEEBBF9FF09301F14451AF955E7291D7309A81CB60

Function 00812D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00812D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00812D53
_ValidateLocalCookies.LIBCMT ref: 00812DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00812E0C
_ValidateLocalCookies.LIBCMT ref: 00812E61

Strings

csm, xrefs: 00812DF6

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cb4d13861d52822a71b379a0c4273754194a3414e0e4ae7cc27e6c42d9cd9f7a
Instruction ID: f4f949b35a1172998ddaca79c4c188566eead74546d06f362f8686503e50d376
Opcode Fuzzy Hash: cb4d13861d52822a71b379a0c4273754194a3414e0e4ae7cc27e6c42d9cd9f7a
Instruction Fuzzy Hash: 3A419134A0020DABCF10DF68D845ADEBBB9FF45324F148165E914EB392D731AAA5CBD1

Function 008710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
Part of subcall function 0087304E: _wcslen.LIBCMT ref: 0087309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00871112
WSAGetLastError.WSOCK32 ref: 00871121
WSAGetLastError.WSOCK32 ref: 008711C9
closesocket.WSOCK32(00000000), ref: 008711F9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a8865ebdaf0031bc3027e98cf1899060474627e2056359e490531c97c2de8c10
Instruction ID: aa45dfe3969d7af68c8a44daab23ee73b1ce7eee29f55797ad43a5ebbce53050
Opcode Fuzzy Hash: a8865ebdaf0031bc3027e98cf1899060474627e2056359e490531c97c2de8c10
Instruction Fuzzy Hash: 6C419E31600208AFDB109F58C889AA9B7A9FF45328F548059F919DF299C774ED41CBB1

Function 0085CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0085CF22,?), ref: 0085DDFD

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0085CF22,?), ref: 0085DE16

lstrcmpiW.KERNEL32(?,?), ref: 0085CF45
MoveFileW.KERNEL32(?,?), ref: 0085CF7F
_wcslen.LIBCMT ref: 0085D005
_wcslen.LIBCMT ref: 0085D01B
SHFileOperationW.SHELL32(?), ref: 0085D061

Strings

\*.*, xrefs: 0085CFF3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d4b7e19aad7e7654e1f3c166faff96ba43fb3daf0d2834c5871141d1f61ccc29
Instruction ID: 52027f76c0bdb75f2a992c8d2fda50a3030d7557c88071081b0eba346617c407
Opcode Fuzzy Hash: d4b7e19aad7e7654e1f3c166faff96ba43fb3daf0d2834c5871141d1f61ccc29
Instruction Fuzzy Hash: 514110719452189FDF22EBA4DD81ADEB7B9FF08381F1000A6E905EB141EE74A688CF51

Function 00882DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00882E1C
GetWindowLongW.USER32(?,000000F0), ref: 00882E4F
GetWindowLongW.USER32(?,000000F0), ref: 00882E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00882EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00882EE0
GetWindowLongW.USER32(?,000000F0), ref: 00882EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00882F0B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e76725aae5868f1bd9416b63f0b856791c9a4fbb8b008a33885b195db613ad2e
Instruction ID: 28199764ef328adfbf3c954b69fd9eed49c5a2c7078632732f55af446b1052e3
Opcode Fuzzy Hash: e76725aae5868f1bd9416b63f0b856791c9a4fbb8b008a33885b195db613ad2e
Instruction Fuzzy Hash: B631FE30604254AFEB61EF58DC88FA53BA1FB9A710F5501A5FA01CB2B2CB71BC44DB55

Function 00857726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085778F
SysAllocString.OLEAUT32(00000000), ref: 00857792
SysAllocString.OLEAUT32(?), ref: 008577B0
SysFreeString.OLEAUT32(?), ref: 008577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008577DE
SysAllocString.OLEAUT32(?), ref: 008577EC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1e0801d7dd21167162cffadc9c0b509d49d30f091a0e211550919223e7c838df
Instruction ID: 00da59a25d48749c91da9d0ec5c0d2ba7b0756f3bd47a976ceb2f9fcedb0db9a
Opcode Fuzzy Hash: 1e0801d7dd21167162cffadc9c0b509d49d30f091a0e211550919223e7c838df
Instruction Fuzzy Hash: A6218E76604219AFDB10DFACEC88CBB77ACFB09764B048025FE15DB295D670EC858764

Function 008577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857868
SysAllocString.OLEAUT32(00000000), ref: 0085786B
SysAllocString.OLEAUT32 ref: 0085788C
SysFreeString.OLEAUT32 ref: 00857895
StringFromGUID2.OLE32(?,?,00000028), ref: 008578AF
SysAllocString.OLEAUT32(?), ref: 008578BD

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b4dbed0275134c853e9528fd476f544f63ab08c8d0f97f24cee49c577df8e3aa
Instruction ID: 819fb30c08b17f6c305ea4707c697d1ec85f5e8e5a1a33567c65c976f716a894
Opcode Fuzzy Hash: b4dbed0275134c853e9528fd476f544f63ab08c8d0f97f24cee49c577df8e3aa
Instruction Fuzzy Hash: DC218E31608218AFDB109BADEC8CDAA77ACFB08361710C135B915CB2A5D670EC85CB78

Function 008604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0086052E

Strings

nul, xrefs: 00860567

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ab40321cde6f910c88ee5060fdc901364f19cbf182c00a48ce76003790f0aca0
Instruction ID: d71e5e482619ad09be4a98f861b817b4ec6e83e0535f4c16fcfe222ba75094b1
Opcode Fuzzy Hash: ab40321cde6f910c88ee5060fdc901364f19cbf182c00a48ce76003790f0aca0
Instruction Fuzzy Hash: D0216B75500305ABDB209F69DC48A9B7BA4FF44724F214A19F9A2E62E0E7709950CF24

Function 008605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00860601

Strings

nul, xrefs: 00860639

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ea7a74475dbb30df660b99c7e33fc73a1202bd9faf5e7f5931b324382205607e
Instruction ID: b5c5b0bc98642f4259fe4faf29c1bac8b9182f5f0ef45529ecea0e1e7b183d57
Opcode Fuzzy Hash: ea7a74475dbb30df660b99c7e33fc73a1202bd9faf5e7f5931b324382205607e
Instruction Fuzzy Hash: 0821A1755003059BDB209F68CC04E9B77E4FFA5724F210A19F9A1E72E0D7B09860CF28

Function 008840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
Part of subcall function 007F600E: GetStockObject.GDI32(00000011), ref: 007F6060
Part of subcall function 007F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00884112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0088411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0088412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00884139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00884145

Strings

Msctls_Progress32, xrefs: 008840E3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ea03c782e34e56ae93755da7ef0152be1143d0443ced775090cb34583c4f5759
Instruction ID: d58e07891c5f37fbfe086ec2d85ed7105b3e3cc1392c0d056bad04fe573039e6
Opcode Fuzzy Hash: ea03c782e34e56ae93755da7ef0152be1143d0443ced775090cb34583c4f5759
Instruction Fuzzy Hash: 741190B615021EBEEF119F64CC85EE77F6DFF08798F014120BA18E2190CA769C219BA4

Function 0082D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0082D7A3: _free.LIBCMT ref: 0082D7CC

_free.LIBCMT ref: 0082D82D

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082D838
_free.LIBCMT ref: 0082D843
_free.LIBCMT ref: 0082D897
_free.LIBCMT ref: 0082D8A2
_free.LIBCMT ref: 0082D8AD
_free.LIBCMT ref: 0082D8B8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9f48927c75fb616b72049c5a135209915f72af2ce1187e46dcc4b828ad69d07c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 15113A71540B24BAD621BFB4EC47FCB7FDCFF04700F800825B699E6092DA69B5858662

Function 0085DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0085DA74
LoadStringW.USER32(00000000), ref: 0085DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0085DA91
LoadStringW.USER32(00000000), ref: 0085DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0085DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0085DAB9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cabde04311fc3c2475a8dd3542dd9473443053fc709b1d289a9ce2ab73c412bd
Instruction ID: c9e6c3dfc5237a99b95ac5eee7a79525082796d3bb566736342f011b0865118b
Opcode Fuzzy Hash: cabde04311fc3c2475a8dd3542dd9473443053fc709b1d289a9ce2ab73c412bd
Instruction Fuzzy Hash: 720162F65002187FE711EBE89D89EEB376CF708301F4004A6BB46E2045E6749E844F75

Function 0086096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0100E2F8,0100E2F8), ref: 0086097B
EnterCriticalSection.KERNEL32(0100E2D8,00000000), ref: 0086098D
TerminateThread.KERNEL32(?,000001F6), ref: 0086099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008609A9
CloseHandle.KERNEL32(?), ref: 008609B8
InterlockedExchange.KERNEL32(0100E2F8,000001F6), ref: 008609C8
LeaveCriticalSection.KERNEL32(0100E2D8), ref: 008609CF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6f718e43e1cca257e3509099391f3134307707a504222bd50addca96d5255c22
Instruction ID: ea2ab74430c21f2335f4b1f648dbb16d8593722d85602144464245a2a3ad6ca7
Opcode Fuzzy Hash: 6f718e43e1cca257e3509099391f3134307707a504222bd50addca96d5255c22
Instruction Fuzzy Hash: A2F0EC32442A12BBD7515FA8EE8DBD6BB3AFF05712F402025F202908E5CB75A465CFA4

Function 00871C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00871DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00871DE1
WSAGetLastError.WSOCK32 ref: 00871DF2
htons.WSOCK32(?,?,?,?,?), ref: 00871EDB
inet_ntoa.WSOCK32(?), ref: 00871E8C

Part of subcall function 008539E8: _strlen.LIBCMT ref: 008539F2

Part of subcall function 00873224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0086EC0C), ref: 00873240

_strlen.LIBCMT ref: 00871F35

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 590dae0683ba83458869d388caa835babf07ef88a2b1da50bf84d82ba424701f
Instruction ID: f1f7398e1f7709650794355b8c47c80c6a38f11fa95a70a56635617141322d21
Opcode Fuzzy Hash: 590dae0683ba83458869d388caa835babf07ef88a2b1da50bf84d82ba424701f
Instruction Fuzzy Hash: C6B1AD31204300AFC724DF28C899E2ABBA5FF84318F54855CF55A9B6E2DB31ED45CB92

Function 007F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007F5D30
GetWindowRect.USER32(?,?), ref: 007F5D71
ScreenToClient.USER32(?,?), ref: 007F5D99
GetClientRect.USER32(?,?), ref: 007F5ED7
GetWindowRect.USER32(?,?), ref: 007F5EF8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ff466d6679ddec876552009f4d3a0bf8f8302de72f5139833b7d082c89ef44e9
Instruction ID: 5b5859fe6ab231f612cc92fed9d0bea39e666ab106add641535f51f07495b9f6
Opcode Fuzzy Hash: ff466d6679ddec876552009f4d3a0bf8f8302de72f5139833b7d082c89ef44e9
Instruction Fuzzy Hash: D0B16934A00A4ADBDB14CFA9C4807FEBBF1FF58310F14951AE9A9D7250DB34AA51DB90

Function 008201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008200D6
__allrem.LIBCMT ref: 008200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0082010B
__allrem.LIBCMT ref: 00820122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00820140

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d95e6bcaf82ef00537da858b0c275a3ec4c2a68122cfbffb4d04a15bf8150d85
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8681F971A00B16ABE7209F6CDC41BAA73E9FF41764F244139F651D7282EBB0D9818B91

Function 008261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008182D9,008182D9,?,?,?,0082644F,00000001,00000001,8BE85006), ref: 00826258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0082644F,00000001,00000001,8BE85006,?,?,?), ref: 008262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008263D8
__freea.LIBCMT ref: 008263E5

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

__freea.LIBCMT ref: 008263EE
__freea.LIBCMT ref: 00826413

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7977655c5fff468af8b1c6a59ebd00a5c554b4f835930308910f829fd2d97fdf
Instruction ID: 197122bc33300785ba5230cc9c7ce8b2a19635de1b155e05c29dd82b4af5ba9e
Opcode Fuzzy Hash: 7977655c5fff468af8b1c6a59ebd00a5c554b4f835930308910f829fd2d97fdf
Instruction Fuzzy Hash: C851D472A00226AFDB259F64EC85EAF77A9FF44750F154669FC05D6280EB34DCE0C6A0

Function 0087BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087BD25
RegCloseKey.ADVAPI32(00000000), ref: 0087BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0087BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0087BDF3
RegCloseKey.ADVAPI32(?), ref: 0087BDFF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 11a052389a36d20ef088d17bc187617868706e8c1c7ab4942784595c0051c48f
Instruction ID: fddf870a74ff42fd8d92de463242b83e0c112aa300afa6bdad53a9bd24a029cc
Opcode Fuzzy Hash: 11a052389a36d20ef088d17bc187617868706e8c1c7ab4942784595c0051c48f
Instruction Fuzzy Hash: D3818A71208245EFD714DF24C885E2ABBE6FF84348F14896CF5598B2A2DB31ED45CB92

Function 0084F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0084F7B9
SysAllocString.OLEAUT32(00000001), ref: 0084F860
VariantCopy.OLEAUT32(0084FA64,00000000), ref: 0084F889
VariantClear.OLEAUT32(0084FA64), ref: 0084F8AD
VariantCopy.OLEAUT32(0084FA64,00000000), ref: 0084F8B1
VariantClear.OLEAUT32(?), ref: 0084F8BB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 7b5a40713508dc43fe834c8d79b2be0186e0b0ea38bec39f512094887d1da7cf
Instruction ID: 8f5944c1d718e67f5dd64a1e514e960f9c811a3459b88cbaa2c61d2ce4914a19
Opcode Fuzzy Hash: 7b5a40713508dc43fe834c8d79b2be0186e0b0ea38bec39f512094887d1da7cf
Instruction Fuzzy Hash: 2351B531A00318EACF24AB69D895B29BBA4FF45314F24946FEA05DF297DB748C40C767

Function 0086910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008694E5
_wcslen.LIBCMT ref: 00869506
_wcslen.LIBCMT ref: 0086952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00869585

Strings

X, xrefs: 00869412

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0d796c5069f0ad3fe268b1168080103cd17ec09a99bf6b2ce5ec947d19dbb159
Instruction ID: 8cecd461b8b1d1b300de8b0ddf6b892acb212ff6e2a62857a65c94151f3be13d
Opcode Fuzzy Hash: 0d796c5069f0ad3fe268b1168080103cd17ec09a99bf6b2ce5ec947d19dbb159
Instruction Fuzzy Hash: A9E19D31608304DFC724EF24C885A6AB7E5FF85314F05896DEA999B3A2DB34DD05CB92

Function 0080920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

BeginPaint.USER32(?,?,?), ref: 00809241
GetWindowRect.USER32(?,?), ref: 008092A5
ScreenToClient.USER32(?,?), ref: 008092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008092D3
EndPaint.USER32(?,?,?,?,?), ref: 00809321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008471EA

Part of subcall function 00809339: BeginPath.GDI32(00000000), ref: 00809357

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 781c6063d588c44d3dc79aafadb8ac825b71718b9cc6a3e31048c5ced085faae
Instruction ID: 1b82772416868b0276ce4521784e29cb7459373fed22c6f4d8e5c73e19b49d1f
Opcode Fuzzy Hash: 781c6063d588c44d3dc79aafadb8ac825b71718b9cc6a3e31048c5ced085faae
Instruction Fuzzy Hash: 30418E70104205AFDB21DF28CCC9FAA7BB8FB56324F140269F9A4C72E2D7319845DB62

Function 008607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0086080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00860847
EnterCriticalSection.KERNEL32(?), ref: 00860863
LeaveCriticalSection.KERNEL32(?), ref: 008608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00860921

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 18743c59550d3dffd29789850bb5d6df41fae3edceb74fa5cf992dfc00166395
Instruction ID: eb661ceef8dd3574c1102050693d7cede6b4248c287fe91b287466764ec8c25b
Opcode Fuzzy Hash: 18743c59550d3dffd29789850bb5d6df41fae3edceb74fa5cf992dfc00166395
Instruction Fuzzy Hash: 1F415871900205ABDF14EF58DC85AAA77B9FF44310F1480A9E904DE29BD730EE64DFA5

Function 008881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0084F3AB,00000000,?,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0088824C
EnableWindow.USER32(?,00000000), ref: 00888272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008882D1
ShowWindow.USER32(?,00000004), ref: 008882E5
EnableWindow.USER32(?,00000001), ref: 0088830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0088832F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a345520c5694b483257cd374c269320cd707a1799cce0582e0622cef0637733e
Instruction ID: d6f72de225b4fbea9063a9cde90e85f09e45d3bc51f931ef933632e7f578d181
Opcode Fuzzy Hash: a345520c5694b483257cd374c269320cd707a1799cce0582e0622cef0637733e
Instruction Fuzzy Hash: 41417334601644EFDF26EF29D899FA47BF1FB0A714F984169E509CB262CB31A845CB50

Function 00854C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00854C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00854CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00854CEA
_wcslen.LIBCMT ref: 00854D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00854D10
_wcsstr.LIBVCRUNTIME ref: 00854D1A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: d2849ca3eb79e6b9f362ff02cb638c4040b7d1650e7e7036b6df9c382a952834
Instruction ID: b1c0fee295f0a5459d157bcbb1e333da0138e7e50245fb61ae370cfa52023a76
Opcode Fuzzy Hash: d2849ca3eb79e6b9f362ff02cb638c4040b7d1650e7e7036b6df9c382a952834
Instruction Fuzzy Hash: D1210432204204BBEB659B29EC09E7B7BACFF45754F10903DFC05CA192EA71DC8483A1

Function 0086581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

_wcslen.LIBCMT ref: 0086587B
CoInitialize.OLE32(00000000), ref: 00865995
CoCreateInstance.OLE32(0088FCF8,00000000,00000001,0088FB68,?), ref: 008659AE
CoUninitialize.OLE32 ref: 008659CC

Strings

.lnk, xrefs: 00865876, 008658C1, 00865985

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 871973c61562a4c48fe8dfa17ee619c067e3ca7c89b9d0c8a75b10031c400600
Instruction ID: d4fbb31d0abcea0032198b9e36ac2ec248b100eee9552bbe7a3265b5f8844545
Opcode Fuzzy Hash: 871973c61562a4c48fe8dfa17ee619c067e3ca7c89b9d0c8a75b10031c400600
Instruction Fuzzy Hash: 34D17070608605DFC714DF28C484A2ABBE2FF89724F158859F98ADB361DB35EC45CB92

Function 0085175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00850FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00850FCA
Part of subcall function 00850FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00850FD6
Part of subcall function 00850FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00850FE5
Part of subcall function 00850FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00850FEC
Part of subcall function 00850FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00851002

GetLengthSid.ADVAPI32(?,00000000,00851335), ref: 008517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008517BA
HeapAlloc.KERNEL32(00000000), ref: 008517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008517DA
GetProcessHeap.KERNEL32(00000000,00000000,00851335), ref: 008517EE
HeapFree.KERNEL32(00000000), ref: 008517F5

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5f4c9aea2661529c704f19a309fbf888b4a9eab0d73a72cf9b55556ce13e0669
Instruction ID: 5e79c5080b8cf0a194569258b9299b281169b5e0c262c322d5f9362c1dd8d527
Opcode Fuzzy Hash: 5f4c9aea2661529c704f19a309fbf888b4a9eab0d73a72cf9b55556ce13e0669
Instruction Fuzzy Hash: 5D118E35510605FFDF109FA8DC8DBAE7BA9FB4935AF104118F841E7218D735A948CB60

Function 008514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00851506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00851515
CloseHandle.KERNEL32(00000004), ref: 00851520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0085154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00851563

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b7e2e6502dc89aa6bbad550e9a0783f7f2e1742328cfdbdd18f171aedf84265c
Instruction ID: 802b0cff52dc422efa3693d4538874b3bb892d6a93b25d6c6afc90f7559462e5
Opcode Fuzzy Hash: b7e2e6502dc89aa6bbad550e9a0783f7f2e1742328cfdbdd18f171aedf84265c
Instruction Fuzzy Hash: FC11867210020DABDF118FA8ED09FDE7BAAFF48749F044024FE05A2060D3759E64EB60

Function 00813382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00813379,00812FE5), ref: 00813390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0081339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008133B7
SetLastError.KERNEL32(00000000,?,00813379,00812FE5), ref: 00813409

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d773a46ab9d1e8d0b55c509436f51d2a8d27776e0f2e9c4b0201a5b2fe1cd99a
Instruction ID: 2a2e818235c7c18fa0244f81ea080ac3bcaee672524f4d5407e931dd0e8bda89
Opcode Fuzzy Hash: d773a46ab9d1e8d0b55c509436f51d2a8d27776e0f2e9c4b0201a5b2fe1cd99a
Instruction Fuzzy Hash: 69017132609711BEAA253B787C859EB2B9CFF25779720032AF520C52F1EF114D826659

Function 00822D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00825686,00833CD6,?,00000000,?,00825B6A,?,?,?,?,?,0081E6D1,?,008B8A48), ref: 00822D78
_free.LIBCMT ref: 00822DAB
_free.LIBCMT ref: 00822DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0081E6D1,?,008B8A48,00000010,007F4F4A,?,?,00000000,00833CD6), ref: 00822DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0081E6D1,?,008B8A48,00000010,007F4F4A,?,?,00000000,00833CD6), ref: 00822DEC
_abort.LIBCMT ref: 00822DF2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2e5139c8ad15931520b47e0ae488334328749c2a7c84beade5ab441b4e0e6304
Instruction ID: b55103b2405ddd73a8832642755f6b2b09a0bb2cb279b7f6b1f7cff6ab9983c3
Opcode Fuzzy Hash: 2e5139c8ad15931520b47e0ae488334328749c2a7c84beade5ab441b4e0e6304
Instruction Fuzzy Hash: 3EF0C83650463477C212373CBC16F5B2659FFC17A5F240528F824D22D6EF3488C24272

Function 00888A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00809639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096A2
Part of subcall function 00809639: BeginPath.GDI32(?), ref: 008096B9
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00888A4E
LineTo.GDI32(?,00000003,00000000), ref: 00888A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00888A70
LineTo.GDI32(?,00000000,00000003), ref: 00888A80
EndPath.GDI32(?), ref: 00888A90
StrokePath.GDI32(?), ref: 00888AA0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5480a1123d28ead354c31e2d96adbdbc194da0d757b391b4c52a7df0517cd376
Instruction ID: e82f67c399d9654ed1185ed196f59c252ca3b5293d31ae30018b63aeb13a02af
Opcode Fuzzy Hash: 5480a1123d28ead354c31e2d96adbdbc194da0d757b391b4c52a7df0517cd376
Instruction Fuzzy Hash: DA11C976040119FFDF129F94DC88EAA7F6DFB08394F048012FA199A1A1C7719D55DBA1

Function 008551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00855218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00855229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00855230
ReleaseDC.USER32(00000000,00000000), ref: 00855238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0085524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00855261

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4aef3b24da07de9b04dd221b349c15fddff9eb8015cbeae845c2a3b2837b5dd7
Instruction ID: fee98e29b7a3d9905f2f5575e70424418dd8a7f7316004b62f1eac3ae8faf88c
Opcode Fuzzy Hash: 4aef3b24da07de9b04dd221b349c15fddff9eb8015cbeae845c2a3b2837b5dd7
Instruction Fuzzy Hash: AC014F75A00719BBEB109BBA9C49A5EBFB8FF48752F044065FA04E7285DA709804CFA0

Function 007F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007F1C22

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 245b1aeee33fc4f60b8d33c106fa4c4f3dd30f9ba98c3a3db114bb9616ecab61
Instruction ID: b289cd0cba8de4c589b0cd5569a3c0a3bdef6943d576ae0eabbeb860436dce67
Opcode Fuzzy Hash: 245b1aeee33fc4f60b8d33c106fa4c4f3dd30f9ba98c3a3db114bb9616ecab61
Instruction Fuzzy Hash: E9016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5AC64CBE5

Function 0085EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0085EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0085EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0085EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB75

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c033f447d876e791541468ae8c443657797154a9df6ba07ab30c436c17d49ff0
Instruction ID: 411609e712d38b965f43c7915d737aec398e60758ccb267b2d2c426a848b00c2
Opcode Fuzzy Hash: c033f447d876e791541468ae8c443657797154a9df6ba07ab30c436c17d49ff0
Instruction Fuzzy Hash: 8EF09A72200118BBE7209B669C4EEEF3A7CFFCAB11F000168FA01E1091E7B02A01C7B5

Function 00847439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00847452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00847469
GetWindowDC.USER32(?), ref: 00847475
GetPixel.GDI32(00000000,?,?), ref: 00847484
ReleaseDC.USER32(?,00000000), ref: 00847496
GetSysColor.USER32(00000005), ref: 008474B0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 0ca912e7e21b804e9fe008a76f63b5524415172d99c7d54d3dd9b6a0b67d7ea4
Instruction ID: 88b5e84873dbbc83aa13051a236bd363f47dfd1b29b73b0f5a48f2e2b1372746
Opcode Fuzzy Hash: 0ca912e7e21b804e9fe008a76f63b5524415172d99c7d54d3dd9b6a0b67d7ea4
Instruction Fuzzy Hash: 87016931400219EFEB519FB8EC08BBA7BB6FF14321F614164FA16E21A1CB311E51EB60

Function 00851874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0085187F
UnloadUserProfile.USERENV(?,?), ref: 0085188B
CloseHandle.KERNEL32(?), ref: 00851894
CloseHandle.KERNEL32(?), ref: 0085189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008518A5
HeapFree.KERNEL32(00000000), ref: 008518AC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a252c2be7a9b72f9655bad24d38d782e010ad7ca86f039a68c1668be5042768a
Instruction ID: 7a45c71c9e9ee0ab0d4eec9cf38676ff9d04e95c38c6d501a3e25a926c193a98
Opcode Fuzzy Hash: a252c2be7a9b72f9655bad24d38d782e010ad7ca86f039a68c1668be5042768a
Instruction Fuzzy Hash: 4AE0E53A004101BBDB016FA9ED0CD0AFF39FF49B22B108220F22581578CB32A421EF60

Function 0085C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0085C6EE
_wcslen.LIBCMT ref: 0085C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0085C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0085C7CA

Strings

0, xrefs: 0085C6AF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b88e97e9235c2a3d24b04dbee3935c8031889ca6fb8fa72b14ebe1d1b7941233
Instruction ID: 125ba4a12931fbcd74dd027aef92a9c71a7a270c4801ccc5f7bb25db566aa507
Opcode Fuzzy Hash: b88e97e9235c2a3d24b04dbee3935c8031889ca6fb8fa72b14ebe1d1b7941233
Instruction Fuzzy Hash: 9C51CC716043019FD7509E2CC889A6AB7E8FF49316F040A2DFE95D26A1DB74D9088F92

Function 0087AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0087AEA3

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

GetProcessId.KERNEL32(00000000), ref: 0087AF38
CloseHandle.KERNEL32(00000000), ref: 0087AF67

Strings

@, xrefs: 0087AE72
<, xrefs: 0087AE6B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 6227d46f72af048f35ca499ecf690e327ea2c8cff8e42d1a5c9fa506a0e2f252
Instruction ID: 2b45c7b7efe22587e0f726a25cafe244c90ee61b99c504258de12589bdcd1e50
Opcode Fuzzy Hash: 6227d46f72af048f35ca499ecf690e327ea2c8cff8e42d1a5c9fa506a0e2f252
Instruction Fuzzy Hash: 64716B75A00619DFCB18DF54C484AAEBBF4FF48314F048499E91AAB3A2CB74ED45CB91

Function 0085719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00857206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0085723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0085724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008572CF

Strings

DllGetClassObject, xrefs: 00857242

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 48455336db8bb98eda2b270b5a97f51bbfffe5c343de1338578855921fd03357
Instruction ID: 2ce2ea6fe848813fa3b8e4f46de512335ab3dec21b8d589393b2f097d59d59bd
Opcode Fuzzy Hash: 48455336db8bb98eda2b270b5a97f51bbfffe5c343de1338578855921fd03357
Instruction Fuzzy Hash: 0D416DB1A04204EFDB15CF54D884A9A7BA9FF44315F24C0A9BD0ADF20AD7B5D949CBA0

Function 00883D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00883E35
IsMenu.USER32(?), ref: 00883E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00883E92
DrawMenuBar.USER32 ref: 00883EA5

Strings

0, xrefs: 00883D89

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8357c522b429f49c677344482bad0bd4638a05dbb2169c612f61960feb81bc41
Instruction ID: 7362d34af0dfa0d5965c0e42ae174d9e4b5b1e97e7235fd557204f447d3ddbf9
Opcode Fuzzy Hash: 8357c522b429f49c677344482bad0bd4638a05dbb2169c612f61960feb81bc41
Instruction Fuzzy Hash: 6B4144B5A01209AFDF10EF64D884EAABBB9FF49754F044129E905EB750D730AE44CF60

Function 00851DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00851E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00851E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00851EA9

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Strings

ComboBox, xrefs: 00851DF0
ListBox, xrefs: 00851E25

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f7af3560f19a2908dbe6d1622271ef60356525fa7c085af7008b11860428d900
Instruction ID: 88dd6d9f2d75d6330cde9adb34ebefc603d6ecd0c158edf365c7b558eae4d323
Opcode Fuzzy Hash: f7af3560f19a2908dbe6d1622271ef60356525fa7c085af7008b11860428d900
Instruction Fuzzy Hash: A421D671A00108AADF14AB68DC4AEFFB7B9FF55354B144129FD25E72E1DB384D0D8620

Function 00882F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00882F8D
LoadLibraryW.KERNEL32(?), ref: 00882F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00882FA9
DestroyWindow.USER32(?), ref: 00882FB1

Strings

SysAnimate32, xrefs: 00882F68

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9229ae0e1b34a759bd990cd48887b561cd0e04112f9829c415eb8190b577bea8
Instruction ID: 6b513e67fc8a8ad6119203bac3abb60eebe057547694a95819b7637fb50b9b22
Opcode Fuzzy Hash: 9229ae0e1b34a759bd990cd48887b561cd0e04112f9829c415eb8190b577bea8
Instruction Fuzzy Hash: 42218C71204209ABEB20AF68DC84EBB77B9FF59364F104628FA50D6190DB71DC51D760

Function 00814D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00814D1E,008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002), ref: 00814D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00814DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00814D1E,008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000), ref: 00814DC3

Strings

mscoree.dll, xrefs: 00814D86
CorExitProcess, xrefs: 00814D98

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ef7897572ef184138e7125a8f1c63f3cbd95eb27bfa698c8693f9d1a71ccb3da
Instruction ID: 1876091d52878e26adc127b45492b8d5ecdade709616085f60894361e46ab12e
Opcode Fuzzy Hash: ef7897572ef184138e7125a8f1c63f3cbd95eb27bfa698c8693f9d1a71ccb3da
Instruction Fuzzy Hash: E6F08C34A40208BBDB109B94EC49BEEBBA8FF04752F0400A8B805E2260CB315D84CBA1

Function 0084D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0084D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084D3BF
FreeLibrary.KERNEL32(00000000), ref: 0084D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0084D3B9
X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c23d601989bddf1e9eeb505c7f100a6f030b26a0ff4a4ba155c6339fc25f154c
Instruction ID: 89771b85b3f47f334281943f84ef1600add1d2ff57e098555eb7099b8229aa89
Opcode Fuzzy Hash: c23d601989bddf1e9eeb505c7f100a6f030b26a0ff4a4ba155c6339fc25f154c
Instruction Fuzzy Hash: 39F05C3650673D9BC7712B144C9C95D3724FF12B09B548085F501E6359E770DC4887A2

Function 007F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007F4EAE
FreeLibrary.KERNEL32(00000000,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 007F4EA8
kernel32.dll, xrefs: 007F4E94

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d75f050eb42f5a95bfe5c01b742d4ff0b94dfe01f0add2b8887bb287c21996a
Instruction ID: cea1f61da0bd44c9a8cbd95bb4a3297714c2781c525bb5074ce6c56076e77078
Opcode Fuzzy Hash: 5d75f050eb42f5a95bfe5c01b742d4ff0b94dfe01f0add2b8887bb287c21996a
Instruction Fuzzy Hash: EFE08C3AA02A226B93321B29BC5CB6B7658BF81F62B050115FE00E2308DB78CD0582B0

Function 007F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007F4E74
FreeLibrary.KERNEL32(00000000,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E87

Strings

kernel32.dll, xrefs: 007F4E5B
Wow64RevertWow64FsRedirection, xrefs: 007F4E6E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3e678b663e2411972928c172d75f3559ba080d463dc98c96d73048a3e96741c6
Instruction ID: 20a28386210cca090e5a95c23ecae3ab2451654be8a902b379b6d61c03525df4
Opcode Fuzzy Hash: 3e678b663e2411972928c172d75f3559ba080d463dc98c96d73048a3e96741c6
Instruction Fuzzy Hash: B2D01239502A615757321B297C1CE9B7A18FF85F613450615BA05E2318CF78CD0587F0

Function 00862947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862C05
DeleteFileW.KERNEL32(?), ref: 00862C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00862C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862CC0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 65ea19daac74080b42cc6a09e1bd5efa3d040afb7d6b5ef4fb38e74ff51da7cb
Instruction ID: fb89d4159532e327aff58b7587fc693f4e02f03758ae1aee17a66f453754e12e
Opcode Fuzzy Hash: 65ea19daac74080b42cc6a09e1bd5efa3d040afb7d6b5ef4fb38e74ff51da7cb
Instruction Fuzzy Hash: 44B12D7290051DABDF21DBA8CC85EEEB7BDFF49350F1040A6F609E6251EA349A448F61

Function 0087A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0087A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0087A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0087A468
CloseHandle.KERNEL32(?), ref: 0087A63D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d101f68d73e48df1787415b47c82ebd4ff97f8600f65a7ff4d5780a8da41fb77
Instruction ID: c5d0de90899de946d76d5d7adb935dbb8108fd080ddf66d11ecf6c5ebf87d230
Opcode Fuzzy Hash: d101f68d73e48df1787415b47c82ebd4ff97f8600f65a7ff4d5780a8da41fb77
Instruction Fuzzy Hash: 20A18B716043019FD724DF28C886B2AB7E5FB84714F14881DFA5ADB392D7B4EC418B92

Function 0082BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00893700), ref: 0082BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0082BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008C1270,000000FF,?,0000003F,00000000,?), ref: 0082BC36
_free.LIBCMT ref: 0082BB7F

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082BD4B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: afc766fbd2f92160b27ce96db93bb6620eb22f8384d8c08c3ab7cae96aa2f284
Instruction ID: 39dafa842d9dba29d9975e3e713221a38233c0bf3bfc72dd9fb72f198b31c078
Opcode Fuzzy Hash: afc766fbd2f92160b27ce96db93bb6620eb22f8384d8c08c3ab7cae96aa2f284
Instruction Fuzzy Hash: D351DB75901229EFCB10EF69EC85DAEB7BCFF45320B10426AE554D7292EB309DC18B51

Function 0085E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0085CF22,?), ref: 0085DDFD

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0085CF22,?), ref: 0085DE16

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

lstrcmpiW.KERNEL32(?,?), ref: 0085E473
MoveFileW.KERNEL32(?,?), ref: 0085E4AC
_wcslen.LIBCMT ref: 0085E5EB
_wcslen.LIBCMT ref: 0085E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0085E650

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e1c87645213ec0bbf251981a96ce12d38e2f98d0a35de8ac7aed4aaa98cac30f
Instruction ID: 69aeabee76e0534901d38b959247679da9e8da988069c7d6d6bbe7b5ea205e68
Opcode Fuzzy Hash: e1c87645213ec0bbf251981a96ce12d38e2f98d0a35de8ac7aed4aaa98cac30f
Instruction Fuzzy Hash: 40514FB24087459BC728DBA4DC819DBB3ECFF85341F00491EEA89D3151EF74A68C876A

Function 0087B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0087BB63
RegCloseKey.ADVAPI32(?,?), ref: 0087BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0087BBB3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ded4a65f4a801e860e5ff6de60e6c9b243b7d3685085dbac9aca43d9cc19d3c9
Instruction ID: 73a9f4e0b1825b0cc6498a7810d165646f1e7839bdbe651e251d26f4da320ba8
Opcode Fuzzy Hash: ded4a65f4a801e860e5ff6de60e6c9b243b7d3685085dbac9aca43d9cc19d3c9
Instruction Fuzzy Hash: AA616631208245EFC314DF24C494E2ABBE6FF84358F14896CE5998B2A6DB31ED45CB92

Function 00858BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00858BCD
VariantClear.OLEAUT32 ref: 00858C3E
VariantClear.OLEAUT32 ref: 00858C9D
VariantClear.OLEAUT32(?), ref: 00858D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00858D3B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 36becd23abc2039928035aca82cd6ec43f74b70e43666294039b763284d1bd4d
Instruction ID: 090448bed703e099c7b853b42405f3ba864502da3a553aaa8069a86b76e238d9
Opcode Fuzzy Hash: 36becd23abc2039928035aca82cd6ec43f74b70e43666294039b763284d1bd4d
Instruction Fuzzy Hash: 5A516BB5A00219EFCB10CF58C884AAAB7F8FF89314B15855AED05EB354E730E911CFA0

Function 00868AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00868BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00868BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00868C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00868C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00868C5F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 0f91145b6ed313b29233fd5941e10997cd5e8e96f5fd3523654b2ad98f556bdc
Instruction ID: 373620d8b2768e396cce26e3fb73919db95e070929251c5860d6a1d26e19c70c
Opcode Fuzzy Hash: 0f91145b6ed313b29233fd5941e10997cd5e8e96f5fd3523654b2ad98f556bdc
Instruction Fuzzy Hash: FA515A35A00219DFCB15DF64C884E69BBF5FF48314F088058E949AB3A2CB35ED55CBA0

Function 00878EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00878F40
GetProcAddress.KERNEL32(00000000,?), ref: 00878FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00878FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00879032
FreeLibrary.KERNEL32(00000000), ref: 00879052

Part of subcall function 0080F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00861043,?,7644E610), ref: 0080F6E6
Part of subcall function 0080F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0084FA64,00000000,00000000,?,?,00861043,?,7644E610,?,0084FA64), ref: 0080F70D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d39edcba57f496d4e3a7bfc84ac256fc0f9b05ba6aa3529b5228493ebd9a6f63
Instruction ID: b41ea67bd188431ced0a3066a7c1e018d0c74eedb7e958c5dc2552fec4d25810
Opcode Fuzzy Hash: d39edcba57f496d4e3a7bfc84ac256fc0f9b05ba6aa3529b5228493ebd9a6f63
Instruction Fuzzy Hash: 46512734600609DFCB15DF58C4989A9BBF1FF49324B08C0A9E94A9B366DB35ED85CB90

Function 00886B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00886C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00886C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00886C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0086AB79,00000000,00000000), ref: 00886C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00886CC7

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: dd06e71a4a46def103002f735dc9a3e601faa0f2deebee0476db7cd1ff226acd
Instruction ID: 075e75d41a39029d80f94c78dd61fec0d2793fe69cc661764ad572e84dcd534b
Opcode Fuzzy Hash: dd06e71a4a46def103002f735dc9a3e601faa0f2deebee0476db7cd1ff226acd
Instruction Fuzzy Hash: D141B275A04104AFDB24EF28CD58FA97BA6FB09364F140228F895E73E0E371AD61DB50

Function 00822051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008220C3
_free.LIBCMT ref: 008220E3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6413acd803e20eeb20a60c376abb1e1c42615d71aa9535282ebd14596940ebd9
Instruction ID: 2c50b6416b18f565a51b1aa7e7efd6363e86556d18363c1ed0260b6b2d9ad699
Opcode Fuzzy Hash: 6413acd803e20eeb20a60c376abb1e1c42615d71aa9535282ebd14596940ebd9
Instruction Fuzzy Hash: 0041E272A00614AFCB20DF78D880A5EB7A5FF88314F1545A9EA15EB392DB31AD41CB81

Function 0080912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00809141
ScreenToClient.USER32(00000000,?), ref: 0080915E
GetAsyncKeyState.USER32(00000001), ref: 00809183
GetAsyncKeyState.USER32(00000002), ref: 0080919D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e6868a6b3be7ad6d0d311409b937233543c9472584849961cb8269a22daf8979
Instruction ID: 8d85305c969836cd9108667197d1a2426ca2aa67fa72276408594665057f8349
Opcode Fuzzy Hash: e6868a6b3be7ad6d0d311409b937233543c9472584849961cb8269a22daf8979
Instruction Fuzzy Hash: 23415B71A0860AFBDF159F68C848BEEB775FF05324F208229E469E62D1C7346D50CB91

Function 00863874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00863922
TranslateMessage.USER32(?), ref: 0086394B
DispatchMessageW.USER32(?), ref: 00863955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00863966

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c66f8ee04de9d51341ab245d16c90eabee8c26468916d9047e202567db513406
Instruction ID: 1ddd2359726ef590be05ce6bc1235a036a75129fd138e1142454ea90faea1f26
Opcode Fuzzy Hash: c66f8ee04de9d51341ab245d16c90eabee8c26468916d9047e202567db513406
Instruction Fuzzy Hash: 2A3191709083869EEF35CB389849FB67FB8FB07304F050569E462C25A1E7B49A85CF21

Function 0086CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0086CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFF2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0c847661add4e4ffc80c243b2df5cb946e3994e850d7b5386739ec0af3e36b15
Instruction ID: 648d4fbaff06c3ac1576b3491b30b153357bdb754d528e0866307fc9e0b3d244
Opcode Fuzzy Hash: 0c847661add4e4ffc80c243b2df5cb946e3994e850d7b5386739ec0af3e36b15
Instruction Fuzzy Hash: 54315C71600209EFDB20DFA9D884ABBBBFAFF14354B11842EF556D2141DB70AE41DBA0

Function 00851901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00851915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008519E2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 59b223fcb88461f54df31b66b7a87890949c4fa79550efdb1cf1be4ff9bbdccc
Instruction ID: c6f998a7ccd00bd462d97261ae2b414229e9ed529f8f264921cda50acb75e2df
Opcode Fuzzy Hash: 59b223fcb88461f54df31b66b7a87890949c4fa79550efdb1cf1be4ff9bbdccc
Instruction Fuzzy Hash: F6318A71A00219AFCB00CFA8C99DB9E7BB5FB44316F104229F921E72D1C7709948CBA0

Function 00885706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00885745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0088579D
_wcslen.LIBCMT ref: 008857AF
_wcslen.LIBCMT ref: 008857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00885816

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2a8788b212e8368cf244f8f0b872431ec12b88b73774b0a50a57bc564838682e
Instruction ID: b3a785b14152409c99f22c7d43b88115d7f475f0837ff1fb45850708a2831ffe
Opcode Fuzzy Hash: 2a8788b212e8368cf244f8f0b872431ec12b88b73774b0a50a57bc564838682e
Instruction Fuzzy Hash: 2721A5719046189ADF20AF64DC84AEEBBBCFF04324F108226E929EA194D7708985CF50

Function 0080990C Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008098CC
SetTextColor.GDI32(?,?), ref: 008098D6
SetBkMode.GDI32(?,00000001), ref: 008098E9
GetStockObject.GDI32(00000005), ref: 008098F1
GetWindowLongW.USER32(?,000000EB), ref: 00809952

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 13c0c17a84bf5c311b1daee85f0105beeb7efb04992e172e1f00cc8634895274
Instruction ID: e6ae8adee355912dcf40ba68af990aeef26ca1569d2975c7599b8a7fa79831e0
Opcode Fuzzy Hash: 13c0c17a84bf5c311b1daee85f0105beeb7efb04992e172e1f00cc8634895274
Instruction Fuzzy Hash: F921D3311492809FC7628F38EC98AA57FA0FF53331B18429EE5D2CA1E3D7365952CB60

Function 00870930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00870951
GetForegroundWindow.USER32 ref: 00870968
GetDC.USER32(00000000), ref: 008709A4
GetPixel.GDI32(00000000,?,00000003), ref: 008709B0
ReleaseDC.USER32(00000000,00000003), ref: 008709E8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9f6951cf0cdc3495879827ccec3dc8c240983e61cb08ec412801bbe4359018ef
Instruction ID: 836b320f914d55a39ed5bbb898057be1692269c01143ffe3b21bba1a2e7504a4
Opcode Fuzzy Hash: 9f6951cf0cdc3495879827ccec3dc8c240983e61cb08ec412801bbe4359018ef
Instruction Fuzzy Hash: 61215E35A00204EFD704EF69D988AAEBBE5FF49700F048068E94AD7352DA34EC04CB60

Function 0082CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0082CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082CDE9

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0082CE0F
_free.LIBCMT ref: 0082CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0082CE31

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f5d4c2cc62d436cd883dfca8cfb882c8c198856a3404cd0162d3e4f6fa2436fa
Instruction ID: 5d1678546bf66570de3ee700675c9f7f99a99d10e8f11dcf7d2015e2e0ebf5d2
Opcode Fuzzy Hash: f5d4c2cc62d436cd883dfca8cfb882c8c198856a3404cd0162d3e4f6fa2436fa
Instruction Fuzzy Hash: 240188766016357F2321167ABC8CD7F796DFEC6BA1316012AFD05D7205DB718D4282B1

Function 00809639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
SelectObject.GDI32(?,00000000), ref: 008096A2
BeginPath.GDI32(?), ref: 008096B9
SelectObject.GDI32(?,00000000), ref: 008096E2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 54bcce3370bcd564ac604ce37ca5e695d7955a456bd5d4b8231e618043c5ffa5
Instruction ID: 0f936d4263f0eb8b28b1f8d3ec843859ff40fca7eb02cf1119925aa92a4e4edc
Opcode Fuzzy Hash: 54bcce3370bcd564ac604ce37ca5e695d7955a456bd5d4b8231e618043c5ffa5
Instruction Fuzzy Hash: 18216070801205EBDF519F28EC88BA93FB4FB52755F500215F460D61E2D3719859CB90

Function 00855711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00855726
_memcmp.LIBVCRUNTIME ref: 00855744
_memcmp.LIBVCRUNTIME ref: 00855757
_memcmp.LIBVCRUNTIME ref: 0085576F
_memcmp.LIBVCRUNTIME ref: 00855787

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 227c7b83059ddeff9dc4358715444066e3347bf45512d3ae0451ac3d9f1aa29a
Instruction ID: 63fdbc724dd8c47ef787d49c3007c3c99fba16e6913e40e15c89c85a20528fbc
Opcode Fuzzy Hash: 227c7b83059ddeff9dc4358715444066e3347bf45512d3ae0451ac3d9f1aa29a
Instruction Fuzzy Hash: FA01F5A124160DBBD60861159D92FFB735DFF243AAF104020FE14DA342F724EE5483A1

Function 00822DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6), ref: 00822DFD
_free.LIBCMT ref: 00822E32
_free.LIBCMT ref: 00822E59
SetLastError.KERNEL32(00000000,007F1129), ref: 00822E66
SetLastError.KERNEL32(00000000,007F1129), ref: 00822E6F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4f28dd92511d3eaebc28ae5701d16cdbe868d48dae5ad2e6eb50a101ca8ecbd0
Instruction ID: c6bdc896f660d0ce968ae390dabd3bd75cf91fdd9e6c7ed38a07ef271a94c39c
Opcode Fuzzy Hash: 4f28dd92511d3eaebc28ae5701d16cdbe868d48dae5ad2e6eb50a101ca8ecbd0
Instruction Fuzzy Hash: FA01F93A20562077C612673C7C46D3B265DFBD53B57620128F821E22D3EB74CCC16231

Function 0085000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?,?,0085035E), ref: 0085002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?), ref: 00850064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850070

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e765af1d0fdcc7220d664b9cf14b7871020882f403486284c505337d7ed6f0a6
Instruction ID: 6f8ccab682a89509e4e81cd641139063e68a113623d1fa18cb69b5e4d84bd7bb
Opcode Fuzzy Hash: e765af1d0fdcc7220d664b9cf14b7871020882f403486284c505337d7ed6f0a6
Instruction Fuzzy Hash: 8701AD72640605BFDB108F68DC04BAA7AEDFF48792F144124FD05D2254E771DD488BA0

Function 008510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b2689c77c913bcffa03be0c38655acd901f1c41a0f93e099482f5dcc730997fa
Instruction ID: 7a943a2b5d9f8d0f7d790bb5114d2b15dc6726411c28908fd2086044b6a56b1b
Opcode Fuzzy Hash: b2689c77c913bcffa03be0c38655acd901f1c41a0f93e099482f5dcc730997fa
Instruction Fuzzy Hash: 60014679200605AFDB115BA8EC8DA6A3B6EFF893A2B210458FA41C2360DB31DC008B70

Function 00850FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00850FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00850FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00850FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00850FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00851002

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b6645f0820338dd83aebbabe242545882757c69c237a6550d5fefc8949256e25
Instruction ID: 108d2b867b5ea848e7965c47272c410915d8ebe12eb760ff23b4854d0b71932f
Opcode Fuzzy Hash: b6645f0820338dd83aebbabe242545882757c69c237a6550d5fefc8949256e25
Instruction Fuzzy Hash: 41F04939201711ABDB214FA8AC8DF563BADFF89B62F504414FA45CA295CA70EC408B70

Function 00851014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0085102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00851036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0085104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851062

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c1ad9f96ecf73a87721ed95122067908ae72bd60938f4b06dcbd9bc4c9772d2a
Instruction ID: 9e98deb8b720b8d661b9f5fc659445475d1cb6f3420bd92ae3ed23c56ba6917d
Opcode Fuzzy Hash: c1ad9f96ecf73a87721ed95122067908ae72bd60938f4b06dcbd9bc4c9772d2a
Instruction Fuzzy Hash: 67F04939200711ABDB219FA8EC8DF563BADFF89762F600414FA45CA294CA70E8408B70

Function 0086030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860324
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860331
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 0086033E
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 0086034B
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860358
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860365

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d7c879158ac3740425af22211f9c9d3030e58387f5bb4278af0ed930958db44f
Instruction ID: 2bac7cae6c140300f263cf6593901c519c32dfacd69bb8359d48c3ee704a3dde
Opcode Fuzzy Hash: d7c879158ac3740425af22211f9c9d3030e58387f5bb4278af0ed930958db44f
Instruction Fuzzy Hash: B4019072800B159FC7319F66D980813F7F5FE502163168A3ED19692A31C371A955DF84

Function 0082D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0082D752

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082D764
_free.LIBCMT ref: 0082D776
_free.LIBCMT ref: 0082D788
_free.LIBCMT ref: 0082D79A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc9b9b3f6aade17b437323209d80daeaf119bc00f2bd0669eb3c6d074e658bca
Instruction ID: 0e040164fa00b300af4148de52ae541e27cb357069e0e912cceb471c7a425730
Opcode Fuzzy Hash: cc9b9b3f6aade17b437323209d80daeaf119bc00f2bd0669eb3c6d074e658bca
Instruction Fuzzy Hash: E4F0E732545324AB9621EB68F9C6D1A7FDDFB48710BA40D15F448E7502CB24FCC08A65

Function 00855C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00855C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00855C6F
MessageBeep.USER32(00000000), ref: 00855C87
KillTimer.USER32(?,0000040A), ref: 00855CA3
EndDialog.USER32(?,00000001), ref: 00855CBD

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 68cdb5d527b2e0eb31a6e96f2d0eb61e2271a37579c3b3ef8fa8d5c6f1c201f2
Instruction ID: 41e68187af60f4d1dd6818a16d0e4584ae5fc7bd4da10634809c0608232e9533
Opcode Fuzzy Hash: 68cdb5d527b2e0eb31a6e96f2d0eb61e2271a37579c3b3ef8fa8d5c6f1c201f2
Instruction Fuzzy Hash: 80018670500B04ABEB205B54DD5EFA67BB8FF10B06F00056DA593E14E5EBF4AD888BA0

Function 008222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008222BE

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 008222D0
_free.LIBCMT ref: 008222E3
_free.LIBCMT ref: 008222F4
_free.LIBCMT ref: 00822305

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e5c70f13211934826378ca518e9b72dba36997b27152660da78562d43e30862f
Instruction ID: ab04529b5a92044aa3e41477592f760551e22e531fbfe2ab9652e2d26ff169e4
Opcode Fuzzy Hash: e5c70f13211934826378ca518e9b72dba36997b27152660da78562d43e30862f
Instruction Fuzzy Hash: 9AF05E74810131EB8A12EF58BC41D487F74FB1D7A1B41061AF824D22B6CB3508D1AFE5

Function 008095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008095D4
StrokeAndFillPath.GDI32(?,?,008471F7,00000000,?,?,?), ref: 008095F0
SelectObject.GDI32(?,00000000), ref: 00809603
DeleteObject.GDI32 ref: 00809616
StrokePath.GDI32(?), ref: 00809631

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7bb1e17fce5e4c9b7b420464c45532656f16f4ac89259aa43b5b8171bdc2a74f
Instruction ID: 955bc10d76f77049c362f7b74506b313d5923a7ec738e6952ca7c9c563ed203c
Opcode Fuzzy Hash: 7bb1e17fce5e4c9b7b420464c45532656f16f4ac89259aa43b5b8171bdc2a74f
Instruction Fuzzy Hash: B5F03C34005A08EBDBA25F69ED9CB643F71FB12362F448214F465950F2C73189A9DF20

Function 00820F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008210F9
__freea.LIBCMT ref: 00821117

Part of subcall function 00821537: _free.LIBCMT ref: 0082154F

Strings

am/pm, xrefs: 0082117A
a/p, xrefs: 008211DE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 09a605736e8a6800ddd17d037e820e8229da98beab292101d3f669be9dbe0559
Instruction ID: 4557f9cf66c684ea3bde69238e5ba3414f94e936a433723d8095f50bf789f54e
Opcode Fuzzy Hash: 09a605736e8a6800ddd17d037e820e8229da98beab292101d3f669be9dbe0559
Instruction Fuzzy Hash: 4BD1E03190022ADACF24DF68E85DABAB7B2FF25304F340119E901DBA90D7399DC1CB91

Function 00877B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00810242: EnterCriticalSection.KERNEL32(008C070C,008C1884,?,?,0080198B,008C2518,?,?,?,007F12F9,00000000), ref: 0081024D
Part of subcall function 00810242: LeaveCriticalSection.KERNEL32(008C070C,?,0080198B,008C2518,?,?,?,007F12F9,00000000), ref: 0081028A

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 008100A3: __onexit.LIBCMT ref: 008100A9

__Init_thread_footer.LIBCMT ref: 00877BFB

Part of subcall function 008101F8: EnterCriticalSection.KERNEL32(008C070C,?,?,00808747,008C2514), ref: 00810202
Part of subcall function 008101F8: LeaveCriticalSection.KERNEL32(008C070C,?,00808747,008C2514), ref: 00810235

Strings

G, xrefs: 00877C7F
5, xrefs: 00877C78
Variable must be of type 'Object'., xrefs: 00877C3A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 943041d8cc81933cbb629070ec1e941a1e9a573950484751cae0f96271742180
Instruction ID: dffdd013fcc796ea8cb4012a2bec8af788de65f403a925423e6eb56d18f4a372
Opcode Fuzzy Hash: 943041d8cc81933cbb629070ec1e941a1e9a573950484751cae0f96271742180
Instruction Fuzzy Hash: 7C916770A04209EFCB15EF98C8859ADBBB1FF48304F148059F91A9B29ADB71EE45CB51

Function 00852716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008521D0,?,?,00000034,00000800,?,00000034), ref: 0085B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00852760

Part of subcall function 0085B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0085B3F8

Part of subcall function 0085B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0085B355
Part of subcall function 0085B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00852194,00000034,?,?,00001004,00000000,00000000), ref: 0085B365
Part of subcall function 0085B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00852194,00000034,?,?,00001004,00000000,00000000), ref: 0085B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0085281A

Strings

@, xrefs: 00852832

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9bdbf0327c77130e0858818396051fa97c4e7b0b2a2b4a6d2f061546d62a5f55
Instruction ID: 9e6e6b66c5dcf86bec51ead3dbc847463f198947c37f732c3574cad858c97658
Opcode Fuzzy Hash: 9bdbf0327c77130e0858818396051fa97c4e7b0b2a2b4a6d2f061546d62a5f55
Instruction Fuzzy Hash: F3410D76900218BFDB10DBA8CD85AEEBBB8FF19701F104059FA55B7181DB706E49CBA1

Function 0082172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00821769
_free.LIBCMT ref: 00821834
_free.LIBCMT ref: 0082183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00821760, 00821767, 00821796, 008217CE

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 593e988cb36cd673b39096dc8aebb7bf5a8f49b90b07b66387109c2ba3012b95
Instruction ID: bcfea1dcb19b44470945cb47ddf0204d9715b635406e221b549a77d1131d92af
Opcode Fuzzy Hash: 593e988cb36cd673b39096dc8aebb7bf5a8f49b90b07b66387109c2ba3012b95
Instruction Fuzzy Hash: 2F316F75A00228AFDF21DF99A8C9D9EBBFCFB95310B644166F804D7216D6708E80CB91

Function 0085C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 0085C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0085C34C
DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,008C1990,0101C1C8), ref: 0085C395

Strings

0, xrefs: 0085C2DF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9092c4dcecd15d6ba42700ed2e382cbe06f30e6eb98ee7ea1b4fb0d9fe450752
Instruction ID: 63f8871fd1890ee98004a356ac20e65408ba89516934895d8fe1e58febdc9a20
Opcode Fuzzy Hash: 9092c4dcecd15d6ba42700ed2e382cbe06f30e6eb98ee7ea1b4fb0d9fe450752
Instruction Fuzzy Hash: 0F416D312043059FDB20DF29D885B9ABBE4FF85315F14861DEDA5D7391D730A908CB62

Function 00884416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0088CC08,00000000,?,?,?,?), ref: 008844AA
GetWindowLongW.USER32 ref: 008844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008844D7

Strings

SysTreeView32, xrefs: 0088447C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23fb778bacda6e70328d17e459ee77c5b4c1496c8e43fef67c8db5e9e0615399
Instruction ID: 1a57a933e327f6599a8747e223b1d94a6e43d953820eeccc5ed5095cfae996b9
Opcode Fuzzy Hash: 23fb778bacda6e70328d17e459ee77c5b4c1496c8e43fef67c8db5e9e0615399
Instruction Fuzzy Hash: 33319E32211606ABDB20AE78DC45BEA7BA9FB08324F205725F975E22D1D774AC509760

Function 0087304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00873077,?,?), ref: 00873378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
_wcslen.LIBCMT ref: 0087309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00873106

Strings

255.255.255.255, xrefs: 00873095, 0087309A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b6bb429525463509c0092be16ac3b3979bd2e90f994fae10df05cc20516d6b80
Instruction ID: 61ce1f384d231df69671e15929220533013c870ec4f5e8471507cf5a841001f0
Opcode Fuzzy Hash: b6bb429525463509c0092be16ac3b3979bd2e90f994fae10df05cc20516d6b80
Instruction Fuzzy Hash: D231AF392042059FCB20CF68C485AAA77A0FF14318F64C069E919CB3A6DB32EE45D762

Function 00883EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00883F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00883F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00883F78

Strings

SysMonthCal32, xrefs: 00883F0B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d6f258a627b927970f02b62da7ec8fc633d025bfc6b4d901811bb79a7c8cf99a
Instruction ID: 7b67dc45f0c5e8fd41d1b82267f5592de997e7de18818e8d32e6538ddc5c38fd
Opcode Fuzzy Hash: d6f258a627b927970f02b62da7ec8fc633d025bfc6b4d901811bb79a7c8cf99a
Instruction Fuzzy Hash: A921AB32610219BBDF259F54CC46FEA3B79FF48B14F110214FA15AB190DAB5AD508BA0

Function 00884653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00884705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00884713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0088471A

Strings

msctls_updown32, xrefs: 00884684

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7c5ee91e5f42ba920a1703461aa97bfe6919f3c6c2b80fc546ad073168915d42
Instruction ID: 59d7c3ec01302d234bc3a7299f64b1a4c05ce8fe48d3f3c88de04f4491f154f9
Opcode Fuzzy Hash: 7c5ee91e5f42ba920a1703461aa97bfe6919f3c6c2b80fc546ad073168915d42
Instruction Fuzzy Hash: 86213BB5600209AFEB10EF68DCC5DA637ADFB5A398B140059FA01DB351DB70EC11CB60

Function 008595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085961D

Strings

#OnAutoItStartRegister, xrefs: 008595F3
#notrayicon, xrefs: 008595B7
#requireadmin, xrefs: 008595D9

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6bc5f3f3e47693b58298d3f38fa5c13ad756f466856d27cb9d68b85e0747ef58
Instruction ID: 21c926d0170afb03904022a80e179e6a62ae128ddc57c95a39e27f4d096bd0ee
Opcode Fuzzy Hash: 6bc5f3f3e47693b58298d3f38fa5c13ad756f466856d27cb9d68b85e0747ef58
Instruction Fuzzy Hash: 04212672204215E6C731AA28DC02FB773DCFFA1316F544026FE89D7182EB559D9DC296

Function 008837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00883840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00883850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00883876

Strings

Listbox, xrefs: 0088380F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 70d9bc4a5c381c7baa11c5a860e7cd41c82bca56f047437c735ba36287909565
Instruction ID: a28e3803147632d2e3df2b901c26e7111b9ab651b557e14c070a31327d77d2ba
Opcode Fuzzy Hash: 70d9bc4a5c381c7baa11c5a860e7cd41c82bca56f047437c735ba36287909565
Instruction Fuzzy Hash: ED219F72610218BBEF21AF54CC85FBB376EFF89B54F118124FA149B190DA71EC5287A0

Function 008649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00864A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00864A5C
SetErrorMode.KERNEL32(00000000,?,?,0088CC08), ref: 00864AD0

Strings

%lu, xrefs: 00864A6F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d79cf1ba8860a12489a54e7a912e5edfba705d0aee9e765d5018f7f168e05515
Instruction ID: 8ae172fb47554d58d7ff4cf5e9daee7321ced49fe4cd41f381063f12693f5d97
Opcode Fuzzy Hash: d79cf1ba8860a12489a54e7a912e5edfba705d0aee9e765d5018f7f168e05515
Instruction Fuzzy Hash: 53314B75A00108AFDB10DF68C985EAA7BE8FF08308F1480A5E909DB352D775ED45CB61

Function 008841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0088424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00884264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00884271

Strings

msctls_trackbar32, xrefs: 00884226

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4afefeb511b65ee6cab03b601b552ff3bd617ffcb2d74c48cd52d43fe06ddaac
Instruction ID: 7c1fdf72c10b04719ae9dd7d6c083a8e766095d08b647345e13f207f51dc40fb
Opcode Fuzzy Hash: 4afefeb511b65ee6cab03b601b552ff3bd617ffcb2d74c48cd52d43fe06ddaac
Instruction Fuzzy Hash: 8B11E332244209BEEF20AF28CC06FAB3BACFF95B54F110124FA55E2190D671DC219B20

Function 00852F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Part of subcall function 00852DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00852DC5
Part of subcall function 00852DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00852DD6
Part of subcall function 00852DA7: GetCurrentThreadId.KERNEL32 ref: 00852DDD
Part of subcall function 00852DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00852DE4

GetFocus.USER32 ref: 00852F78

Part of subcall function 00852DEE: GetParent.USER32(00000000), ref: 00852DF9

GetClassNameW.USER32(?,?,00000100), ref: 00852FC3
EnumChildWindows.USER32(?,0085303B), ref: 00852FEB

Strings

%s%d, xrefs: 00852FFF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c3f6381670ed4662b5758752bf0fb81cd3f6a20273795df01424b9121083c60e
Instruction ID: c5481dcb8df78fc3ab22180209d03a9313e28f86ee7f550575ac2e5a8e1f99c2
Opcode Fuzzy Hash: c3f6381670ed4662b5758752bf0fb81cd3f6a20273795df01424b9121083c60e
Instruction Fuzzy Hash: D911D2B1200209ABCF50BF688C85EED376AFF94305F044079BD09DB296EE349D098B71

Function 00885882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008858EE
DrawMenuBar.USER32(?), ref: 008858FD

Strings

0, xrefs: 0088588F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: aad3d1428b42204b8416bbe03dc11ee0a64de906f673638a80bd3a7f980d4821
Instruction ID: 74ff8e1520c0d8706c0de8742f8f7a9d6ca2b82345c89d5124a9a192ffc8967b
Opcode Fuzzy Hash: aad3d1428b42204b8416bbe03dc11ee0a64de906f673638a80bd3a7f980d4821
Instruction Fuzzy Hash: 5F015B31500218EEDB61AF15EC44BAEBFB4FB45360F1080A9E949DA1A2DB308A84DF21

Function 0085007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ce8999ca19f213b9a9a07a17363a03f3eb366290d91d355fae108c9aa16d90
Instruction ID: 4c88defa9867b0403faa6e7deac74ae7dffef57cf1977d8c486940bd75d9bdc2
Opcode Fuzzy Hash: b8ce8999ca19f213b9a9a07a17363a03f3eb366290d91d355fae108c9aa16d90
Instruction Fuzzy Hash: 53C14B75A0020AEFDB15CFA8C894AAEB7B5FF48705F208598E905EB251D731ED45CF90

Function 00823E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00823F0B
__alldvrm.LIBCMT ref: 0082410C
__alldvrm.LIBCMT ref: 0082412E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c9a37ae8efbf0ab39f8728714eab13be96af996d05731f7f51550b57a021f526
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EAA15772E007A69FDB21CF18E8917AEBBE4FF61350F14416DE585DB281C63899C1C761

Function 0087342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00873459
CoUninitialize.OLE32 ref: 00873463
VariantInit.OLEAUT32(?), ref: 0087346E
VariantClear.OLEAUT32(?), ref: 0087371B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 811ef668be972b5a3fc513792c23050f0fad214a1385cc08ccb94ceb813e5ed5
Instruction ID: 7f197cd669ec10ee7fb09422f4742b0076e7b1b80cb20715de7881d309f92688
Opcode Fuzzy Hash: 811ef668be972b5a3fc513792c23050f0fad214a1385cc08ccb94ceb813e5ed5
Instruction Fuzzy Hash: 56A14875204204DFC714DF28C885A2AB7E5FF88724F048859F98ADB366DB74EE05DB92

Function 00850436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0088FC08,?), ref: 008505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0088FC08,?), ref: 00850608
CLSIDFromProgID.OLE32(?,?,00000000,0088CC40,000000FF,?,00000000,00000800,00000000,?,0088FC08,?), ref: 0085062D
_memcmp.LIBVCRUNTIME ref: 0085064E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fd3898c84f8e2dddb7fb32dabbc8a517732fd622deef74e51a497bfa73e12aa1
Instruction ID: 519bef944197ad9c812720adc1379ccc1ad1f6bd4a938ceb56c5106214246d33
Opcode Fuzzy Hash: fd3898c84f8e2dddb7fb32dabbc8a517732fd622deef74e51a497bfa73e12aa1
Instruction Fuzzy Hash: FB81BA75A00209EFCB04DF94C984DEEB7B9FF89315B204558E916EB250DB71AE4ACF60

Function 00831391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008314C0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 639089de459438af3f6a1d447667f294c2d0604f7250efee2efa2f915212a94a
Instruction ID: 708b61203d23a76f0631c5a3c761a131bb5c4fa52f27f716b032768b8f380700
Opcode Fuzzy Hash: 639089de459438af3f6a1d447667f294c2d0604f7250efee2efa2f915212a94a
Instruction Fuzzy Hash: 25417F31A001146BDF217BBD9C4EAFE3AAAFFC1B70F144625F419D2292E674488153E7

Function 00886278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008862E2
ScreenToClient.USER32(?,?), ref: 00886315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00886382

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7d0d375bd647fa4bac17d9796f401acc34493167d96a36a1f20e06bc05cb44e5
Instruction ID: c7977c96db74d398606b2f3c4c5427dfc43fe15b16ff1ac71f75c9b0c2b94bd3
Opcode Fuzzy Hash: 7d0d375bd647fa4bac17d9796f401acc34493167d96a36a1f20e06bc05cb44e5
Instruction Fuzzy Hash: E7510774A00209EFDF10EF68D984AAE7BB5FF45364F108169F915DB2A1E730AD91CB50

Function 00871AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00871AFD
WSAGetLastError.WSOCK32 ref: 00871B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00871B8A
WSAGetLastError.WSOCK32 ref: 00871B94

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 257bf619ee56ed24e72d624d6282ca7e6a8be5978458fce821ca52e1c36c1819
Instruction ID: b97da1daf293c7a4ac53054ad430755a828492eb4769660f6002b491a2a44b56
Opcode Fuzzy Hash: 257bf619ee56ed24e72d624d6282ca7e6a8be5978458fce821ca52e1c36c1819
Instruction Fuzzy Hash: 37418D35600204AFEB20AF28C88AF3977E5EB48718F54C458FA1A9F7D2D676DD418B91

Function 0082B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfabdfe65e3511b29b51e270c59cbd1cf4cd2a515f4f63962fa9666f8b088a50
Instruction ID: f5d58c1aa38605195e0d1b0f53db888146d4a6d1df5b87d7e8f73a991b24957d
Opcode Fuzzy Hash: bfabdfe65e3511b29b51e270c59cbd1cf4cd2a515f4f63962fa9666f8b088a50
Instruction Fuzzy Hash: 16411771A00724BFD724AF7CDC81BAABBE9FF88710F10452AF541DB282D77199818781

Function 008656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00865783
GetLastError.KERNEL32(?,00000000), ref: 008657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008657FA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8cf56eee0ed8810a21926298bddcd569dbcdca7fefbc642100b1448a3f546329
Instruction ID: 91b1cd9ec0450a090739aef42abe71153e9c23f8faebd3ebae5344b15afcd695
Opcode Fuzzy Hash: 8cf56eee0ed8810a21926298bddcd569dbcdca7fefbc642100b1448a3f546329
Instruction Fuzzy Hash: 4B414E35600615DFCB15DF15C544A2EBBE2FF89320F198498E94AAB362CB78FD04CB91

Function 0082D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00816D71,00000000,00000000,008182D9,?,008182D9,?,00000001,00816D71,8BE85006,00000001,008182D9,008182D9), ref: 0082D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0082D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0082D9AB
__freea.LIBCMT ref: 0082D9B4

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0a195d4d4b253bc35db11ab0a83c6213f913dd9639c34740b4a45d22b50e6516
Instruction ID: 731734f852279246dc8350e633f5b13b5a99031dd273024b36086855785d9a21
Opcode Fuzzy Hash: 0a195d4d4b253bc35db11ab0a83c6213f913dd9639c34740b4a45d22b50e6516
Instruction Fuzzy Hash: 45319FB2A0022AABDB24DF69EC85EAE7FA5FF40310B154168FC04D6250E735CDD1CBA1

Function 008852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00885352
GetWindowLongW.USER32(?,000000F0), ref: 00885375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00885382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008853A8

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 17190de16fcac1f8bc888f0f6237a7ada59b434bc2046d2cab8cc632658a2d49
Instruction ID: 72c653e5a7cf7936b394b8e943ddac9054482267baa5d63b147c38aa949b99f1
Opcode Fuzzy Hash: 17190de16fcac1f8bc888f0f6237a7ada59b434bc2046d2cab8cc632658a2d49
Instruction Fuzzy Hash: 50319C34A55A0CFFEB30AA18CC56FE97765FB06391F984101BA11D63E1C7B4AE809B52

Function 0085AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0085ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0085AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0085AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0085ACC6

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db4de6b7cd6d1d351993243f103ea54d10419fb21af81e3bb06ce3667019639b
Instruction ID: ca78c67ab685ca34e98516cedb9730af1707038738c0ec8b93ee54ab51e7e22e
Opcode Fuzzy Hash: db4de6b7cd6d1d351993243f103ea54d10419fb21af81e3bb06ce3667019639b
Instruction Fuzzy Hash: 80311430A00218AFEF28CB68C8457FA7AA5FB89312F04431EE895D61D0D3748D8D8762

Function 00887674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0088769A
GetWindowRect.USER32(?,?), ref: 00887710
PtInRect.USER32(?,?,00888B89), ref: 00887720
MessageBeep.USER32(00000000), ref: 0088778C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f217aa463bd78bc409c1aeec12bd7b07a1851f46a099df48846c767ecc5b2e56
Instruction ID: 334267b0efb470bab11cae6e6afa734bf1e21a16588936c9c12d327bb05eb6bc
Opcode Fuzzy Hash: f217aa463bd78bc409c1aeec12bd7b07a1851f46a099df48846c767ecc5b2e56
Instruction Fuzzy Hash: 6941AB34A09255DFDB11EF68C898EA9BBF4FB4A304F6840A8E814DB261D330E945CF90

Function 008816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008816EB

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

GetCaretPos.USER32(?), ref: 008816FF
ClientToScreen.USER32(00000000,?), ref: 0088174C
GetForegroundWindow.USER32 ref: 00881752

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 62aaf9c7aa91aff6aa61080232d32b86e8954aefe5d966780f6ea045fd6ec87f
Instruction ID: 55c7364e076cc75a61611c379b1f78eda982e275e284759487f0d89a9cfdc530
Opcode Fuzzy Hash: 62aaf9c7aa91aff6aa61080232d32b86e8954aefe5d966780f6ea045fd6ec87f
Instruction Fuzzy Hash: 0A315E75D00149AFCB00EFA9C885CAEBBFDFF48304B5480A9E515E7311DA359E45CBA1

Function 0085DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

_wcslen.LIBCMT ref: 0085DFCB
_wcslen.LIBCMT ref: 0085DFE2
_wcslen.LIBCMT ref: 0085E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0085E018

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 9914f0dca8a1bb93ddbe457346fba9f85bff176d44a5c02db17ca878b0a22ffe
Instruction ID: 231caff572dd42c1bf69503718b197f3e34189c2437adba948e35e4a2c008bdc
Opcode Fuzzy Hash: 9914f0dca8a1bb93ddbe457346fba9f85bff176d44a5c02db17ca878b0a22ffe
Instruction Fuzzy Hash: 6C218071900614AFCB24EFA8D982BAEB7B8FF45750F144065E905FB286D6749E40CBA2

Function 0085D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0085D501
Process32FirstW.KERNEL32(00000000,?), ref: 0085D50F
Process32NextW.KERNEL32(00000000,?), ref: 0085D52F
CloseHandle.KERNEL32(00000000), ref: 0085D5DC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: de49762939513176f2f2b0777eff4770d49253b07c33e2c2a2353353177eb3e4
Instruction ID: 82391a9ecba5af6e55eb9042123cdf7de4f203847e28f437787113906da2f4a1
Opcode Fuzzy Hash: de49762939513176f2f2b0777eff4770d49253b07c33e2c2a2353353177eb3e4
Instruction Fuzzy Hash: DA318471108304DFD310EF54C885ABFBBE8FF99354F14052DFA85862A1EB719949CBA2

Function 00888FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

GetCursorPos.USER32(?), ref: 00889001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00847711,?,?,?,?,?), ref: 00889016
GetCursorPos.USER32(?), ref: 0088905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00847711,?,?,?), ref: 00889094

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ec79c28317f13b4777838591aeb14dc1af51f9caf95a1f8e55ab6fd4153eeae5
Instruction ID: 5e584fb8f3493f6f4c407ad5af7991143a23e4cdeeb8995053cbb4f283427a82
Opcode Fuzzy Hash: ec79c28317f13b4777838591aeb14dc1af51f9caf95a1f8e55ab6fd4153eeae5
Instruction Fuzzy Hash: 2F219F35600418EFDF259F98CC98EFA7BF9FB4A360F184069F946972A2D3319950DB60

Function 0085D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0088CB68), ref: 0085D2FB
GetLastError.KERNEL32 ref: 0085D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0085D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0088CB68), ref: 0085D376

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 18450044ad2290f4597a4807999861c889ac5a5bf7617258b292b89aaba4b5a8
Instruction ID: 89135fe49c0b0654d11efeddaa95ea22a28ae4464f112b73b69bd659e1297435
Opcode Fuzzy Hash: 18450044ad2290f4597a4807999861c889ac5a5bf7617258b292b89aaba4b5a8
Instruction Fuzzy Hash: 43215C705093059F8720EF28C8858AAB7E4FE56365F104A1DFCA9C73A1E731D94ACB93

Function 00851571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00851014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0085102A
Part of subcall function 00851014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00851036
Part of subcall function 00851014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851045
Part of subcall function 00851014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0085104C
Part of subcall function 00851014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008515BE
_memcmp.LIBVCRUNTIME ref: 008515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00851617
HeapFree.KERNEL32(00000000), ref: 0085161E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bb62a255c2c40cf4f1bd0112d3b2eed9cf49e6c3cb603db222397c2eff19f1b9
Instruction ID: 66eb22cf05721fdfaa64d97191d4d861faca9d24052ad225971dfa94fe4df752
Opcode Fuzzy Hash: bb62a255c2c40cf4f1bd0112d3b2eed9cf49e6c3cb603db222397c2eff19f1b9
Instruction Fuzzy Hash: 12215A71E40109ABDF00DFA4C949BEEB7B8FF54345F084459E851E7241E730AA09CB60

Function 00882782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0088280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00882824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00882832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00882840

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ae4fbb83188570410896c5b111b8138573068e9ed1d1a78e96433e2c38b3f2cd
Instruction ID: 932837aa75c0835d44f3992d840ac2a0f3ba8b1e1443eec1f89490719b86e826
Opcode Fuzzy Hash: ae4fbb83188570410896c5b111b8138573068e9ed1d1a78e96433e2c38b3f2cd
Instruction Fuzzy Hash: 3421A135204515AFDB14AB28C855FAA7B95FF45324F148258F426CB6E2CB75FC42C790

Function 008578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00858D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?), ref: 00858D8C
Part of subcall function 00858D7D: lstrcpyW.KERNEL32(00000000,?,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00858DB2
Part of subcall function 00858D7D: lstrcmpiW.KERNEL32(00000000,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?), ref: 00858DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857923
lstrcpyW.KERNEL32(00000000,?,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857984

Strings

cdecl, xrefs: 0085797B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: eb8613e27b9d23af2391d2a15109aa92b5c254159974c22ec54a470aa27759c2
Instruction ID: d2f7e19c9f9998f68772ca299f63107e0ad1094cab05c77a9616f2e24a604f25
Opcode Fuzzy Hash: eb8613e27b9d23af2391d2a15109aa92b5c254159974c22ec54a470aa27759c2
Instruction Fuzzy Hash: C511063A200242ABCB159F39DC44E7A7BA9FF85351B40802AFD02CB3A4EB359815C761

Function 00887CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00887D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00887D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00887D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0086B7AD,00000000), ref: 00887D6B

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 355a5bc4330fe42c17da26c5e8c4d95811039b978a7b22d53e89a83b3f5a4f04
Instruction ID: d7e750184440f5cbcc78480b27cca082cf1e3272ca5c108c10271c9cac2ab342
Opcode Fuzzy Hash: 355a5bc4330fe42c17da26c5e8c4d95811039b978a7b22d53e89a83b3f5a4f04
Instruction Fuzzy Hash: 80115E32605615AFCB10AF68CC48E663BB5FF463A0B254728F835D72E5E730D951DB50

Function 00885660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008856BB
_wcslen.LIBCMT ref: 008856CD
_wcslen.LIBCMT ref: 008856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00885816

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0e0122f15a13b61ffad21fb19345c9947c6a9b35c0e8fb3f1943205561881236
Instruction ID: ca79630810d1a11fe59be5225692d2561d6fde55541bf9e06fc9a8dc2f73276e
Opcode Fuzzy Hash: 0e0122f15a13b61ffad21fb19345c9947c6a9b35c0e8fb3f1943205561881236
Instruction Fuzzy Hash: F311BE75A10608A6DF20EF65DC85AEE7BBCFF21764F10402AF915E6191EB70CA84CB64

Function 00821D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474f4d9afa09323944dcdf4cf95a34a5d5a52ebe4edc20dc05e8498e2cb8b88b
Instruction ID: 88175b494b25252dd699506a92e086a18c7eb946fcfe42bbf3082122f8f5735d
Opcode Fuzzy Hash: 474f4d9afa09323944dcdf4cf95a34a5d5a52ebe4edc20dc05e8498e2cb8b88b
Instruction Fuzzy Hash: A1018BB220962ABEFA21267C7CC8F276A1CFF613B8B300325F521E11D2DB708C815270

Function 00851A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00851A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A8A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc6d7704565fdbc2022ad2502cb3bc809a389049210381d8902847efaad83953
Instruction ID: 062f46e732cc45b1821d2c1559bde2f70e4196b4ba9e8b17ad25e6acbb2a389d
Opcode Fuzzy Hash: bc6d7704565fdbc2022ad2502cb3bc809a389049210381d8902847efaad83953
Instruction Fuzzy Hash: BD112A3A901229FFEF12DBA4C985FADBB79FB04750F200091EA00B7290D7716E50DB94

Function 0085E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0085E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0085E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0085E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0085E24D

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9cf40049e239a243de6f45498d2acbb162643e8bbd0eb64a31738211f519fd5c
Instruction ID: 2fe1990bf55a739b13c05f565e3b6bcf2479879455d5c0d7e4974c2d2a97966d
Opcode Fuzzy Hash: 9cf40049e239a243de6f45498d2acbb162643e8bbd0eb64a31738211f519fd5c
Instruction Fuzzy Hash: 02110476904258BBCB059FBCAC49E9E7FACFB46326F004255F824E3395D7B49A0487B0

Function 0081D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0081CFF9,00000000,00000004,00000000), ref: 0081D218
GetLastError.KERNEL32 ref: 0081D224
__dosmaperr.LIBCMT ref: 0081D22B
ResumeThread.KERNEL32(00000000), ref: 0081D249

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: de3164914b2c98230dd1affa9651196c1cd2dcb732ac48f754a9355622920756
Instruction ID: acc80d1c7925730dc7a2be4ca2af3ba894ebc0156b57243408180c7ebb5bb701
Opcode Fuzzy Hash: de3164914b2c98230dd1affa9651196c1cd2dcb732ac48f754a9355622920756
Instruction Fuzzy Hash: 5001D236805308BBCB115BA9DC09BEA7B6DFF81330F204219F935D21D1DB719981C7A1

Function 00889EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

GetClientRect.USER32(?,?), ref: 00889F31
GetCursorPos.USER32(?), ref: 00889F3B
ScreenToClient.USER32(?,?), ref: 00889F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00889F7A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1f857f218bad7dcfa6262ba1722632942eb5537f0e1dd7dee8d3a6dd1e23b291
Instruction ID: 2fa7ffead6b8242a28e0a4cfcccb3ff25872aac073f7b34feec0e0ebb3dbf946
Opcode Fuzzy Hash: 1f857f218bad7dcfa6262ba1722632942eb5537f0e1dd7dee8d3a6dd1e23b291
Instruction Fuzzy Hash: EE11453290011AABDF15EFA8D889DFE77B9FB05311F140455FA52E3141DB30BA81CBA2

Function 007F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
GetStockObject.GDI32(00000011), ref: 007F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4027525a90fc7ee06857ea152676bb2a79a8ec121c03d98649a15b4fd853f5ea
Instruction ID: 864a0047d4bd15264c6a6d43131fe87f223fde7c85e64be6eded09d409056e47
Opcode Fuzzy Hash: 4027525a90fc7ee06857ea152676bb2a79a8ec121c03d98649a15b4fd853f5ea
Instruction Fuzzy Hash: F4115E7250150DBFEF125FA89C44EFA7B69FF19754F140115FA1552110DB369C609BA0

Function 00813B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00813B56

Part of subcall function 00813AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00813AD2
Part of subcall function 00813AA3: ___AdjustPointer.LIBCMT ref: 00813AED

_UnwindNestedFrames.LIBCMT ref: 00813B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00813B7C
CallCatchBlock.LIBVCRUNTIME ref: 00813BA4

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e61519fdfe08602329358f7ad4552b7c5b41a79d4add1c494c391257eb396559
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: DB012972100148BBDF125E99CC42EEB3B6DFF48764F044014FE48A6121D732E9A1DBA1

Function 00823073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007F13C6,00000000,00000000,?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue), ref: 008230A5
GetLastError.KERNEL32(?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue,00892290,FlsSetValue,00000000,00000364,?,00822E46), ref: 008230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue,00892290,FlsSetValue,00000000), ref: 008230BF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 31c2ab3e361022b8473eef741a0a884d8047b7ed1e7471c2d04cca9767b00be3
Instruction ID: 6096cdec3a17194a87ee1bbf0863024c559da65107b0065e7de67be9e5aab942
Opcode Fuzzy Hash: 31c2ab3e361022b8473eef741a0a884d8047b7ed1e7471c2d04cca9767b00be3
Instruction Fuzzy Hash: D801D432711A36ABCB214A78BC54A577B98FF05BA5B200624F905E3280CB35D981C7F0

Function 00857464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0085747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00857497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008574CA

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5056a6ec4e6c76ded19419940cfde353fdcf141232858768f40f614425ef1654
Instruction ID: d0013eb24add23d79c032bf9e10e214b1ad3fef112083c3f661ea602f7d2d4f2
Opcode Fuzzy Hash: 5056a6ec4e6c76ded19419940cfde353fdcf141232858768f40f614425ef1654
Instruction Fuzzy Hash: 3511ADB5205315ABE7208F28EC08F927BFCFB00B05F10C569EE16D6191D7B0E948DBA5

Function 0085B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B126

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: badffd3aabe2dfc7f5aa22e48cb1343859db750f9f5a9151302e776a651bfb60
Instruction ID: 619c1b917ffe8369cd6f8e6c4d8b30847c0b469e84e9be486b8e9b7bb8313bec
Opcode Fuzzy Hash: badffd3aabe2dfc7f5aa22e48cb1343859db750f9f5a9151302e776a651bfb60
Instruction Fuzzy Hash: BB115B31C0192DEBCF00AFE9E9986EEBF78FF19712F114485D941B2285DB3056548B61

Function 00887E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00887E33
ScreenToClient.USER32(?,?), ref: 00887E4B
ScreenToClient.USER32(?,?), ref: 00887E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00887E8A

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a4c34ef5131020e64cf1432ea5840fc36747c23919c12a21ed887a61ad5f99e1
Instruction ID: dec3c07b3809762d5f1b821c6848a3ed566bfc3f00c57df5940e2aaf3f66f8d5
Opcode Fuzzy Hash: a4c34ef5131020e64cf1432ea5840fc36747c23919c12a21ed887a61ad5f99e1
Instruction Fuzzy Hash: 991156B9D0020AAFDB41DF98C884AEEBBF5FF18310F505066E925E3214D735AA54CF60

Function 00852DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00852DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00852DD6
GetCurrentThreadId.KERNEL32 ref: 00852DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00852DE4

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f50714f719f7b725280faa426afeef1050881cc0b3350d7c6bc470a22a9e80c4
Instruction ID: 4ed35181dae472801e271425135b136283147462f2d22bff5bd984085ced93b6
Opcode Fuzzy Hash: f50714f719f7b725280faa426afeef1050881cc0b3350d7c6bc470a22a9e80c4
Instruction Fuzzy Hash: 9BE06DB11012287AD7205B66AC0DEEB3E6CFB53BA2F000229B906D1080AAA48844C7B0

Function 00888863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00809639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096A2
Part of subcall function 00809639: BeginPath.GDI32(?), ref: 008096B9
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00888887
LineTo.GDI32(?,?,?), ref: 00888894
EndPath.GDI32(?), ref: 008888A4
StrokePath.GDI32(?), ref: 008888B2

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 922d8fa1e05d163b4840b25d278de5e1e1e19cbdc2673088420e8154c9814124
Instruction ID: 7610e867d27ac3179bbe5cbf1a5f52e6bc6509dd108e8232c416f148f2aec70e
Opcode Fuzzy Hash: 922d8fa1e05d163b4840b25d278de5e1e1e19cbdc2673088420e8154c9814124
Instruction Fuzzy Hash: 1CF03436041658FAEB126F98AC0EFCA3E69BF06310F848000FA11A50E2C7B55521CBAA

Function 008098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008098CC
SetTextColor.GDI32(?,?), ref: 008098D6
SetBkMode.GDI32(?,00000001), ref: 008098E9
GetStockObject.GDI32(00000005), ref: 008098F1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 27e6e0a1fd725e519f47a9d5e098338c9c621fdd560a1b767d7425b424dc1df0
Instruction ID: 1ff9e8b707b811687710ac56f79f994dbadb4fdec4cc5eb78127dfeeec1f5707
Opcode Fuzzy Hash: 27e6e0a1fd725e519f47a9d5e098338c9c621fdd560a1b767d7425b424dc1df0
Instruction Fuzzy Hash: DCE06D31244284AEDB215B78BC0DBE83F20FB12336F04821AF6FA980E5C37146409B20

Function 0085162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00851634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008511D9), ref: 0085163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008511D9), ref: 00851648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008511D9), ref: 0085164F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e04ab0cd1d0351891dee8661c4795ee0d22a7dafa2b825ff8d8b1929ab45d433
Instruction ID: a86eda1931afeeadf7977f5b1bbe3193460bee13eb214488de62e8bba20e52a0
Opcode Fuzzy Hash: e04ab0cd1d0351891dee8661c4795ee0d22a7dafa2b825ff8d8b1929ab45d433
Instruction Fuzzy Hash: 81E04632602212ABDB201BB9AE0DB863BA8FF55792F158808F645C9084E63484458B60

Function 0084D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0084D858
GetDC.USER32(00000000), ref: 0084D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0084D882
ReleaseDC.USER32(?), ref: 0084D8A3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 87a22f5463722cd711e4f867085956150c30ee31cbe74573d8d5a810fb952b4e
Instruction ID: 07b68a80c62bf07d14058e3a7c733d6b3f5150bb0c914c4760eaea160ebf24df
Opcode Fuzzy Hash: 87a22f5463722cd711e4f867085956150c30ee31cbe74573d8d5a810fb952b4e
Instruction Fuzzy Hash: 2EE01AB5800209DFCB419FB4DD0C66DFBB1FB18310F149429E906E7254D7384901AF60

Function 0084D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0084D86C
GetDC.USER32(00000000), ref: 0084D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0084D882
ReleaseDC.USER32(?), ref: 0084D8A3

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7d63efcaf0119fc1ba7937641cab6caec79a39b9e8161adc6c3d8c4ae77c86c
Instruction ID: 9c9464482f4655e50d738e892619ae5f5bd29f46edce43d75e382f4c84cdd890
Opcode Fuzzy Hash: c7d63efcaf0119fc1ba7937641cab6caec79a39b9e8161adc6c3d8c4ae77c86c
Instruction Fuzzy Hash: F2E012B5800209EFCB41AFB8E80C66DBBB1FB18310B149018E90AE7254DB385901AF60

Function 00864D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00864ED4

Strings

LPT, xrefs: 00864DFB
*, xrefs: 00864E10

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e28f8088ff559787a461d24974fca28630d50b957e16385dbc835df338b5b1b2
Instruction ID: ea586c1cf8e3548b3c526a7f4945aa47c4fbb394df8f0e970080b198a05b7a55
Opcode Fuzzy Hash: e28f8088ff559787a461d24974fca28630d50b957e16385dbc835df338b5b1b2
Instruction Fuzzy Hash: 10912B75A002089FCB14DF58C484EADBBF1FF44318F199099E50A9B3A2DB75ED85CB91

Function 0080E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0080E1B1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5d85ce9d191c68e9a2f4b3f74d8cf40b0a9d3ee25ede91ed7a36186920cd4a7c
Instruction ID: aac7f887244c04b7109714a83a720a362cfb5f72c6efaf9a34048bf518af0c51
Opcode Fuzzy Hash: 5d85ce9d191c68e9a2f4b3f74d8cf40b0a9d3ee25ede91ed7a36186920cd4a7c
Instruction Fuzzy Hash: 7051223550124EDFDF15DF28C885ABA7BA8FF15324F244469F891DB2D0DA349D42CBA0

Function 0080F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0080F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0080F2BB

Strings

@, xrefs: 0080F2AF

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fe9467af365d5da6c865e9efd18bff35dd70b5026be454d4369e94a7c0beda2f
Instruction ID: 9b832f6c82e0a78e6b972a015e5845cb4c0fc45fa15fce5af7469fe5f39db6ef
Opcode Fuzzy Hash: fe9467af365d5da6c865e9efd18bff35dd70b5026be454d4369e94a7c0beda2f
Instruction Fuzzy Hash: 50512972418749DBD320AF14DC8ABABB7F8FF85300F81885DF29941195EB748929CB67

Function 00875745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008757E0
_wcslen.LIBCMT ref: 008757EC

Strings

CALLARGARRAY, xrefs: 008757E6, 008757EB

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: cfb2d3cf1d1e6ab37b84fc2907ba28059331b879ea18e532e31a242e8dd0693d
Instruction ID: 34052a9e499ccfaf158f08e3512eac30f173f63936dab254f842b11e860e25c9
Opcode Fuzzy Hash: cfb2d3cf1d1e6ab37b84fc2907ba28059331b879ea18e532e31a242e8dd0693d
Instruction Fuzzy Hash: 1341BF31A002099FCB14DFA9C8859BEBBB5FF59324F148029E509E7395E770DD81CBA1

Function 0086D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0086D13A

Strings

|, xrefs: 0086D10B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1eb1afb5205950d5854fc698ddebf251c0bf89f28323445ead4745b6cd623a02
Instruction ID: 5bc404ba6113fe82f584f1cc702e0b0386f9547b0f432bc86f63d11013d25b84
Opcode Fuzzy Hash: 1eb1afb5205950d5854fc698ddebf251c0bf89f28323445ead4745b6cd623a02
Instruction Fuzzy Hash: D4313D71D00209EBCF15EFA5CC85AEEBFB9FF05340F000019F915A6266E775AA56CB60

Function 0088356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00883621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0088365C

Strings

static, xrefs: 008835BC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: af3a1a905a82a18f3b7313d309ec2293660e0fcc9c528b0b03a4b97118c02008
Instruction ID: 1737c58bdc82824254cdff12ba7006b3971c59657c2bf42d765c0c16336be74c
Opcode Fuzzy Hash: af3a1a905a82a18f3b7313d309ec2293660e0fcc9c528b0b03a4b97118c02008
Instruction Fuzzy Hash: 11319E71110608AEDB10EF28DC80EFB73A9FF98B24F109619F9A5D7280DB34AD91D760

Function 00884537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0088461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00884634

Strings

', xrefs: 0088458E

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ee3d6d0f65c9d5737a963e3ca9570a563eb3a280b3dc2a31c44f7b0b560d6961
Instruction ID: e4c182045d20d7bae2bed48b0108a064a3581462d953f31412b0483e9a1c4f54
Opcode Fuzzy Hash: ee3d6d0f65c9d5737a963e3ca9570a563eb3a280b3dc2a31c44f7b0b560d6961
Instruction Fuzzy Hash: 913116B5A0030A9FDB14DFA9C980BDABBB5FF19300F10506AE904EB341E770A941CF90

Function 008831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0088327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00883287

Strings

Combobox, xrefs: 00883249

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b00c2b6b536d6e0323f4926f7f3b990195288ffc5a7bee5ef07fc7f755372e57
Instruction ID: 8fa355de8fd6b8ac0f7a4982766d6d9891c4b3d9451f72aa640e4bd658d5fea0
Opcode Fuzzy Hash: b00c2b6b536d6e0323f4926f7f3b990195288ffc5a7bee5ef07fc7f755372e57
Instruction Fuzzy Hash: 3311B271300208BFEF21AE54DC84EBB376AFB94765F104128F918D7291D7759D518760

Function 00883710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
Part of subcall function 007F600E: GetStockObject.GDI32(00000011), ref: 007F6060
Part of subcall function 007F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

GetWindowRect.USER32(00000000,?), ref: 0088377A
GetSysColor.USER32(00000012), ref: 00883794

Strings

static, xrefs: 00883757

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7b09b4ae5da108daae9aae6e99e032eaee8303dfedee349c3aff6b49a768c1f7
Instruction ID: ef21b30da5a1bc77eaaff6a805b6467db0bf8e307c8fbf41333d4cfadfee282c
Opcode Fuzzy Hash: 7b09b4ae5da108daae9aae6e99e032eaee8303dfedee349c3aff6b49a768c1f7
Instruction Fuzzy Hash: 8B1129B2610209AFDF00EFA8CC45EFA7BB8FF08714F004525F955E2250E735E8519B60

Function 0086CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0086CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0086CDA6

Strings

<local>, xrefs: 0086CD66

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7c193e62022a2d9b879d89f0a59523567562bba985993886ba6a5a064b9def40
Instruction ID: 242830c6a5490ecefd3da321b70066efe8f630052d472d9b7fcf081c0fde4e04
Opcode Fuzzy Hash: 7c193e62022a2d9b879d89f0a59523567562bba985993886ba6a5a064b9def40
Instruction Fuzzy Hash: A811C271205635BAD7385BA68C49EF7BEACFF127A8F01422AB189C3180D7749844D6F0

Function 00883429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008834BA

Strings

edit, xrefs: 0088348F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 882ef1f8e55e0bf5599a9b94e8a08eae945ef703e8fbe632fc90b71886edf653
Instruction ID: e871b0e1aaeeab32fcb2057ad4441e6acdf919b980eb45651f1d1836c9a32766
Opcode Fuzzy Hash: 882ef1f8e55e0bf5599a9b94e8a08eae945ef703e8fbe632fc90b71886edf653
Instruction Fuzzy Hash: E3119D71100108AAEF11AE68DC44EBA376AFF25B78F504324F961D31D4C775ED519768

Function 00856C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00856CB6
_wcslen.LIBCMT ref: 00856CC2

Strings

STOP, xrefs: 00856CBC, 00856CC1

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1f6dedc3e51f15348b45f86e81d4f34c51fe04cff9e2a62c9d1f382d8e3c5ff4
Instruction ID: 15560a2c06e62f352af8c4a87bd1ba708a289ca174f7d6aaa82792d6f575ac0d
Opcode Fuzzy Hash: 1f6dedc3e51f15348b45f86e81d4f34c51fe04cff9e2a62c9d1f382d8e3c5ff4
Instruction Fuzzy Hash: C9010832A0052A8ACB219FBDDC809BF77B4FF607117800924ED52D7290FA31DC18C650

Function 00851CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00851D4C

Strings

ComboBox, xrefs: 00851CEB
ListBox, xrefs: 00851D16

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 98d9e9e42fc76a535caed6b0dc66363c02da9867a0dd662ffafbec84ed9eda05
Instruction ID: a397deeafe17d2b0ce5d2321b1fdd254a1d205e061c14bd76d881082a5321104
Opcode Fuzzy Hash: 98d9e9e42fc76a535caed6b0dc66363c02da9867a0dd662ffafbec84ed9eda05
Instruction Fuzzy Hash: 4401B575601218AB8F04EFA4CC59AFE7778FB56390B440519FD32E73D1EA35590CC660

Function 00851BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00851C46

Strings

ComboBox, xrefs: 00851BE5
ListBox, xrefs: 00851C10

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fd4c55310953c98644795e044436b8721de4e35f56390f700acb33d4e209b5d
Instruction ID: ef37cf6cc3e1bd1e136ffe1e1a1d23f8617009b4ab4f282bb4bfec502b835b29
Opcode Fuzzy Hash: 0fd4c55310953c98644795e044436b8721de4e35f56390f700acb33d4e209b5d
Instruction Fuzzy Hash: 03016775681108A6CF14EBA4C959BFF77A8FF15381F140019EE16F7381EA259E0CD6B1

Function 00851C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00851CC8

Strings

ComboBox, xrefs: 00851C69
ListBox, xrefs: 00851C94

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2abc60e30966918f01ac80cced5ed514f2023b4829785ae7e69e8a6559f76a4e
Instruction ID: 84ba72159855204ed2034d4bbd321d966f624421f471cb8e1fad610ced1fc7da
Opcode Fuzzy Hash: 2abc60e30966918f01ac80cced5ed514f2023b4829785ae7e69e8a6559f76a4e
Instruction Fuzzy Hash: 87016275681118A6CF14EBA5CA19BFE77A8FB11381B540015BD12F3381EA669F0CC672

Function 00851D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00851DD3

Strings

ComboBox, xrefs: 00851D75
ListBox, xrefs: 00851DA0

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb216f73e366a177545b8e63573e0f338ecfd96f9220a3e3ebe0174a1b1f8b1c
Instruction ID: eac1247ec5bac25d9a58f40443805adbc6fd3d26cbd713e36d9121360d18dce0
Opcode Fuzzy Hash: eb216f73e366a177545b8e63573e0f338ecfd96f9220a3e3ebe0174a1b1f8b1c
Instruction Fuzzy Hash: 68F0A471A4121CA6DB04EBA8CC5ABFE7778FB01395F040919FE22E33C1EA74590C8271

Function 0087747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00877493
_wcslen.LIBCMT ref: 008774B9

Strings

3, 3, 16, 1, xrefs: 00877483

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a0d0ab9174f11b63c0b8c8e9caf1925d72c36c7a2d6e64c7797ed3e093dd0090
Instruction ID: 01ea6ce1ef53da4954770919cca8805d333075205062985981715cb04f6882b1
Opcode Fuzzy Hash: a0d0ab9174f11b63c0b8c8e9caf1925d72c36c7a2d6e64c7797ed3e093dd0090
Instruction Fuzzy Hash: 7FE02B02204320109231127EACC19BF5ACDFFC9750714282BF989C237EEA94CDD1D3A6

Function 00850B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00850B23

Strings

AutoIt, xrefs: 00850B17
Error allocating memory., xrefs: 00850B1C

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d56c380e1c2fc240ecfd7d2f86b8fcc850f78ab839fc44eb919c20b3405e67a0
Instruction ID: f54817c7b64f4a8f5c63581d5476a24036c737218e93c6cf73b62384904af051
Opcode Fuzzy Hash: d56c380e1c2fc240ecfd7d2f86b8fcc850f78ab839fc44eb919c20b3405e67a0
Instruction Fuzzy Hash: 7BE0D8312443082AD22037987C03FC97A84FF05B61F104466FBA8D96C38BF1249007FA

Function 00810D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0080F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00810D71,?,?,?,007F100A), ref: 0080F7CE

IsDebuggerPresent.KERNEL32(?,?,?,007F100A), ref: 00810D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007F100A), ref: 00810D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00810D7F

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e21e6ab492ec79173fb1ae4f7970fb96bd29fe936b0b92c47cab188196241f71
Instruction ID: 1aead0d23c77495e52d104d45b075747418c9f8c9dd12d51977b84a5028d5600
Opcode Fuzzy Hash: e21e6ab492ec79173fb1ae4f7970fb96bd29fe936b0b92c47cab188196241f71
Instruction Fuzzy Hash: 42E0C0B42007518BD7609FBCE8446567BE4FF04744F004A2DE595C6756DBB5E4848BA2

Function 00863017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0086302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00863044

Strings

aut, xrefs: 00863038

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0ac2a20b41d99551010e28e77a73e48a93ab8815f4d711741c81e7e09bd5481a
Instruction ID: ee83fccd7c0ac80ed323d60a59257342b2b91496b87d425756380cedfe0b33d3
Opcode Fuzzy Hash: 0ac2a20b41d99551010e28e77a73e48a93ab8815f4d711741c81e7e09bd5481a
Instruction Fuzzy Hash: B7D05E7254032867DA20A7A8AC0EFCB3B6CEB04750F0002A1B655E21D5EBB49984CBE0

Function 0084D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0084D220

Strings

X64, xrefs: 0084D2A8
%.3d, xrefs: 0084D22B

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: bd3ba27dc7306d2f6206e2654dfd1abdc7be4c1c7e30ec4168911664d44b6ceb
Instruction ID: 6d2beafd851b1560f247ef14fa6042412c3cb2af693ca8de8dca6b2f968eeec7
Opcode Fuzzy Hash: bd3ba27dc7306d2f6206e2654dfd1abdc7be4c1c7e30ec4168911664d44b6ceb
Instruction Fuzzy Hash: 62D0127180832DEACBD096D4CC498B9B3BCFB08305F908452F906D1181D674E5086B61

Function 00882322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0088232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0088233F

Part of subcall function 0085E97B: Sleep.KERNELBASE ref: 0085E9F3

Strings

Shell_TrayWnd, xrefs: 00882325

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 09c224e36b76609d438ed9656961f63ee7db995cdbbacf9d56741819991ea142
Instruction ID: eeb96cc6ab77fccb82757bd9af52dda79b2001e44dbbec4eca50142744b51f12
Opcode Fuzzy Hash: 09c224e36b76609d438ed9656961f63ee7db995cdbbacf9d56741819991ea142
Instruction Fuzzy Hash: 5DD0A932380300B6E6A8A7349C0FFC66A04BB00B00F004A167605EA2D4D8B4A80A8B24

Function 00882356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0088236C
PostMessageW.USER32(00000000), ref: 00882373

Part of subcall function 0085E97B: Sleep.KERNELBASE ref: 0085E9F3

Strings

Shell_TrayWnd, xrefs: 00882365

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2d6f7499a0f4eb0d617574431f74c6d490618c58ab2a6f66ea4e7b1a761ccf0c
Instruction ID: d70a1e2440abaddf6b5f008d5561a5f815bedcbec42aa6fb92ec5056fe213c32
Opcode Fuzzy Hash: 2d6f7499a0f4eb0d617574431f74c6d490618c58ab2a6f66ea4e7b1a761ccf0c
Instruction Fuzzy Hash: 59D0A9323C03007AE6A8A7349C0FFC66A04BB00B00F004A167601EA2D4D8B4A80A8B28

Function 0082BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0082BE93
GetLastError.KERNEL32 ref: 0082BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0082BEFC

Memory Dump Source

Source File: 00000000.00000002.2173534870.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.2173518076.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173588528.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630898.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173646398.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 866e807e97f00d13cd17c595fc94a7b6718cc4b9b3daff4c8b82e9f5883250e8
Instruction ID: a7c099ef020750b6a203739bcb3f603a430bea66324746268d8eb1d9c93b8486
Opcode Fuzzy Hash: 866e807e97f00d13cd17c595fc94a7b6718cc4b9b3daff4c8b82e9f5883250e8
Instruction Fuzzy Hash: AE412A35602226AFCF218F69ED44ABA7BA5FF41320F154169F959D72A1DF308C80CB61

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183

Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1076236206&timestamp=1727887047473 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=dddHZ_8otViNTC9cwCdQoA03ag_r032DFATbGGnfxyA0n90en5a8yr3p2Z6ARL2A1nvrYS8Z2xMHo2j50qWfBOMYMnmbq8xXD-1Bln6F_56LTxPJOgjRXCi4k0zrCAta0kTTnGfaRd1HOW8CUx-xPB1g03yc6SIYr0L_6L5W2KfWFcxLE1o
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3UKllD2MVWroSBo&MD=GLuuM2Nd HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3UKllD2MVWroSBo&MD=GLuuM2Nd HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Chrome Cache Entry: 97

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 0080F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Function 007F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00832BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0087AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 007F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0083065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 007F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre